From 7a848baf56cc481ddb36b1b661c11e97ce7a1fe4cfcfee7cae02bb0b2ce931f8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mat=C4=9Bj=20Cepl?= Date: Thu, 11 Dec 2025 22:40:30 +0100 Subject: [PATCH] Update to 3.14.2 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Security - gh-142145: Remove quadratic behavior in xml.minidom node ID cache clearing. - gh-119452: Fix a potential memory denial of service in the http.server module. When a malicious user is connected to the CGI server on Windows, it could cause an arbitrary amount of memory to be allocated. This could have led to symptoms including a MemoryError, swapping, out of memory (OOM) killed processes or containers, or even system crashes. Library - gh-140797: Revert changes to the undocumented re.Scanner class. Capturing groups are still allowed for backward compatibility, although using them can lead to incorrect result. They will be forbidden in future Python versions. - gh-142206: The resource tracker in the multiprocessing module now uses the original communication protocol, as in Python 3.14.0 and below, by default. This avoids issues with upgrading Python while it is running. (Note that such ‘in-place’ upgrades are not tested.) The tracker remains compatible with subprocesses that use new protocol (that is, subprocesses using Python 3.13.10, 3.14.1 and 3.15). - gh-142214: Fix two regressions in dataclasses in Python 3.14.1 related to annotations. An exception is no longer raised if slots=True is used and the __init__ method does not have an __annotate__ attribute (likely because init=False was used). An exception is no longer raised if annotations are requested on the __init__ method and one of the fields is not present in the class annotations. This can occur in certain dynamic scenarios. Patch by Jelle Zijlstra. Core and Builtins - gh-142218: Fix crash when inserting into a split table dictionary with a non str key that matches an existing key. - gh-116738: Fix cmath data race when initializing trigonometric tables with subinterpreters. * Update to 3.14.1: Tools/Demos - gh-141692: Each slice of an iOS XCframework now contains a lib folder that contains a symlink to the libpython dylib. This allows binary modules to be compiled for iOS using dynamic libreary linking, rather than Framework linking. - gh-141442: The iOS testbed now correctly handles test arguments that contain spaces. - gh-140702: The iOS testbed app will now expose the GITHUB_ACTIONS environment variable to iOS apps being tested. - gh-137484: Have Tools/wasm/wasi put the build Python into a directory named after the build triple instead of “build”. - gh-137248: Add a --logdir option to Tools/wasm/wasi for specifying where to write log files. - gh-137243: Have Tools/wasm/wasi detect a WASI SDK install in /opt when it was directly extracted from a release tarball. Tests - gh-140482: Preserve and restore the state of stty echo as part of the test environment. - gh-140082: Update python -m test to set FORCE_COLOR=1 when being run with color enabled so that unittest which is run by it with redirected output will output in color. - gh-139208: Fix regrtest --fast-ci --verbose: don’t ignore the --verbose option anymore. Patch by Victor Stinner. - gh-136442: Use exitcode 1 instead of 5 if unittest.TestCase.setUpClass() raises an exception Security - gh-139700: Check consistency of the zip64 end of central directory record. Support records with “zip64 extensible data” if there are no bytes prepended to the ZIP file. - gh-139283: sqlite3: correctly handle maximum number of rows to fetch in Cursor.fetchmany and reject negative values for Cursor.arraysize. Patch by Bénédikt Tran. (CVE-2025-8291, bsc#1251305) - gh-137836: Add support of the “plaintext” element, RAWTEXT elements “xmp”, “iframe”, “noembed” and “noframes”, and optionally RAWTEXT element “noscript” in html.parser.HTMLParser. - gh-136063: email.message: ensure linear complexity for legacy HTTP parameters parsing. Patch by Bénédikt Tran. - gh-136065: Fix quadratic complexity in os.path.expandvars() (CVE-2025-6075, bsc#1252974) - gh-119451: Fix a potential memory denial of service in the http.client module. When connecting to a malicious server, it could cause an arbitrary amount of memory to be allocated. This could have led to symptoms including a MemoryError, swapping, out of memory (OOM) killed processes or containers, or even system crashes (CVE-2025-13836, bsc#1254400) - gh-119342: Fix a potential memory denial of service in the plistlib module. When reading a Plist file received from untrusted source, it could cause an arbitrary amount of memory to be allocated. This could have led to symptoms including a MemoryError, swapping, out of memory (OOM) killed processes or containers, or even system crashes (CVE-2025-13837, bsc#1254401). Library - gh-74389: When the stdin being used by a subprocess.Popen instance is closed, this is now ignored in subprocess.Popen.communicate() instead of leaving the class in an inconsistent state. - gh-87512: Fix subprocess.Popen.communicate() timeout handling on Windows when writing large input. Previously, the timeout was ignored during stdin writing, causing the method to block indefinitely if the child process did not consume input quickly. The stdin write is now performed in a background thread, allowing the timeout to be properly enforced. - gh-141473: When subprocess.Popen.communicate() was called with input and a timeout and is called for a second time after a TimeoutExpired exception before the process has died, it should no longer hang. - gh-59000: Fix pdb breakpoint resolution for class methods when the module defining the class is not imported. - gh-141570: Support file-like object raising OSError from fileno() in color detection (_colorize.can_colorize()). This can occur when sys.stdout is redirected. - gh-141659: Fix bad file descriptor errors from _posixsubprocess on AIX. - gh-141600: Fix musl version detection on Void Linux. - gh-141497: ipaddress: ensure that the methods IPv4Network.hosts() and IPv6Network.hosts() always return an iterator. - gh-140938: The statistics.stdev() and statistics.pstdev() functions now raise a ValueError when the input contains an infinity or a NaN. - gh-124111: Updated Tcl threading configuration in _tkinter to assume that threads are always available in Tcl 9 and later. - gh-137109: The os.fork and related forking APIs will no longer warn in the common case where Linux or macOS platform APIs return the number of threads in a process and find the answer to be 1 even when a os.register_at_fork() after_in_parent= callback (re)starts a thread. - gh-141314: Fix assertion failure in io.TextIOWrapper.tell() when reading files with standalone carriage return (\r) line endings. - gh-141311: Fix assertion failure in io.BytesIO.readinto() and undefined behavior arising when read position is above capcity in io.BytesIO. - gh-141141: Fix a thread safety issue with base64.b85decode(). Contributed by Benel Tayar. - gh-137969: Fix annotationlib.ForwardRef.evaluate() returning ForwardRef objects which don’t update with new globals. - gh-140911: collections: Ensure that the methods UserString.rindex() and UserString.index() accept collections.UserString instances as the sub argument. - gh-140797: The undocumented re.Scanner class now forbids regular expressions containing capturing groups in its lexicon patterns. Patterns using capturing groups could previously lead to crashes with segmentation fault. Use non-capturing groups (?:…) instead. - gh-125115: Refactor the pdb parsing issue so positional arguments can pass through intuitively. - gh-140815: faulthandler now detects if a frame or a code object is invalid or freed. Patch by Victor Stinner. - gh-100218: Correctly set errno when socket.if_nametoindex() or socket.if_indextoname() raise an OSError. Patch by Bénédikt Tran. - gh-140875: Fix handling of unclosed character references (named and numerical) followed by the end of file in html.parser.HTMLParser with convert_charrefs=False. - gh-140734: multiprocessing: fix off-by-one error when checking the length of a temporary socket file path. Patch by Bénédikt Tran. - gh-140874: Bump the version of pip bundled in ensurepip to version 25.3 - gh-140691: In urllib.request, when opening a FTP URL fails because a data connection cannot be made, the control connection’s socket is now closed to avoid a ResourceWarning. - gh-103847: Fix hang when cancelling process created by asyncio.create_subprocess_exec() or asyncio.create_subprocess_shell(). Patch by Kumar Aditya. - gh-120057: Add os.reload_environ() to os.__all__. - gh-140228: Avoid making unnecessary filesystem calls for frozen modules in linecache when the global module cache is not present. - gh-140590: Fix arguments checking for the functools.partial.__setstate__() that may lead to internal state corruption and crash. Patch by Sergey Miryanov. - gh-125434: Display thread name in faulthandler on Windows. Patch by Victor Stinner. - gh-140634: Fix a reference counting bug in os.sched_param.__reduce__(). - gh-140633: Ignore AttributeError when setting a module’s __file__ attribute when loading an extension module packaged as Apple Framework. - gh-140593: xml.parsers.expat: Fix a memory leak that could affect users with ElementDeclHandler() set to a custom element declaration handler. Patch by Sebastian Pipping. - gh-140607: Inside io.RawIOBase.read(), validate that the count of bytes returned by io.RawIOBase.readinto() is valid (inside the provided buffer). - gh-138162: Fix logging.LoggerAdapter with merge_extra=True and without the extra argument. - gh-138774: ast.unparse() now generates full source code when handling ast.Interpolation nodes that do not have a specified source. - gh-140474: Fix memory leak in array.array when creating arrays from an empty str and the u type code. - gh-137530: dataclasses Fix annotations for generated __init__ methods by replacing the annotations that were in-line in the generated source code with __annotate__ functions attached to the methods. - gh-140348: Fix regression in Python 3.14.0 where using the | operator on a typing.Union object combined with an object that is not a type would raise an error. - gh-140272: Fix memory leak in the clear() method of the dbm.gnu database. - gh-140041: Fix import of ctypes on Android and Cygwin when ABI flags are present. - gh-140120: Fixed a memory leak in hmac when it was using the hacl-star backend. Discovered by @ashm-dev using AddressSanitizer. - gh-139905: Add suggestion to error message for typing.Generic subclasses when cls.__parameters__ is missing due to a parent class failing to call super().__init_subclass__() in its __init_subclass__. - gh-139894: Fix incorrect sharing of current task with the child process while forking in asyncio. Patch by Kumar Aditya. - gh-139845: Fix to not print KeyboardInterrupt twice in default asyncio REPL. - gh-139783: Fix inspect.getsourcelines() for the case when a decorator is followed by a comment or an empty line. - gh-139809: Prevent premature colorization of subparser prog in argparse.ArgumentParser.add_subparsers() to respect color environment variable changes after parser creation. - gh-139736: Fix excessive indentation in the default argparse HelpFormatter. Patch by Alexander Edland. - gh-70765: http.server: fix default handling of HTTP/0.9 requests in BaseHTTPRequestHandler. Previously, BaseHTTPRequestHandler.parse_request() incorrectly waited for headers in the request although those are not supported in HTTP/0.9. Patch by Bénédikt Tran. - gh-63161: Fix tokenize.detect_encoding(). Support non-UTF-8 shebang and comments if non-UTF-8 encoding is specified. Detect decoding error for non-UTF-8 encoding. Detect null bytes in source code. - gh-139391: Fix an issue when, on non-Windows platforms, it was not possible to gracefully exit a python -m asyncio process suspended by Ctrl+Z and later resumed by fg other than with kill. - gh-101828: Fix 'shift_jisx0213', 'shift_jis_2004', 'euc_jisx0213' and 'euc_jis_2004' codecs truncating null chars as they were treated as part of multi-character sequences. - gh-139289: Do a real lazy-import on rlcompleter in pdb and restore the existing completer after importing rlcompleter. - gh-139246: fix: paste zero-width in default repl width is wrong. - gh-90949: Add SetAllocTrackerActivationThreshold() and SetAllocTrackerMaximumAmplification() to xmlparser objects to prevent use of disproportional amounts of dynamic memory from within an Expat parser. Patch by Bénédikt Tran. - gh-139210: Fix use-after-free when reporting unknown event in xml.etree.ElementTree.iterparse(). Patch by Ken Jin. - gh-138860: Lazy import rlcompleter in pdb to avoid deadlock in subprocess. - gh-112729: Fix crash when calling concurrent.interpreters.create() when the process is out of memory. - gh-135729: Fix unraisable exception during finalization when using concurrent.interpreters in the REPL. - gh-139076: Fix a bug in the pydoc module that was hiding functions in a Python module if they were implemented in an extension module and the module did not have __all__. - gh-139065: Fix trailing space before a wrapped long word if the line length is exactly width in textwrap. - gh-139001: Fix race condition in pathlib.Path on the internal _raw_paths field. - gh-138813: multiprocessing.BaseProcess defaults kwargs to None instead of a shared dictionary. - gh-138993: Dedent credits text. - gh-138891: Fix SyntaxError when inspect.get_annotations(f, eval_str=True) is called on a function annotated with a PEP 646 star_expression - gh-130567: Fix possible crash in locale.strxfrm() due to a platform bug on macOS. - gh-138859: Fix generic type parameterization raising a TypeError when omitting a ParamSpec that has a default which is not a list of types. - gh-138764: Prevent annotationlib.call_annotate_function() from calling __annotate__ functions that don’t support VALUE_WITH_FAKE_GLOBALS in a fake globals namespace with empty globals. Make FORWARDREF and STRING annotations fall back to using VALUE annotations in the case that neither their own format, nor VALUE_WITH_FAKE_GLOBALS are supported. - gh-138775: Use of python -m with base64 has been fixed to detect input from a terminal so that it properly notices EOF. - gh-138779: Support device numbers larger than 2**63-1 for the st_rdev field of the os.stat_result structure. - gh-137706: Fix the partial evaluation of annotations that use typing.Annotated[T, x] where T is a forward reference. - gh-88375: Fix normalization of the robots.txt rules and URLs in the urllib.robotparser module. No longer ignore trailing ?. Distinguish raw special characters ?, = and & from the percent-encoded ones. - gh-111788: Fix parsing errors in the urllib.robotparser module. Don’t fail trying to parse weird paths. Don’t fail trying to decode non-UTF-8 robots.txt files. - gh-98896: Fix a failure in multiprocessing resource_tracker when SharedMemory names contain colons. Patch by Rani Pinchuk. - gh-138425: Fix partial evaluation of annotationlib.ForwardRef objects which rely on names defined as globals. - gh-138432: zoneinfo.reset_tzpath() will now convert any os.PathLike objects it receives into strings before adding them to TZPATH. It will raise TypeError if anything other than a string is found after this conversion. If given an os.PathLike object that represents a relative path, it will now raise ValueError instead of TypeError, and present a more informative error message. - gh-138008: Fix segmentation faults in the ctypes module due to invalid argtypes. Patch by Dung Nguyen. - gh-60462: Fix locale.strxfrm() on Solaris (and possibly other platforms). - gh-138239: The REPL now highlights type as a soft keyword in type statements. - gh-138204: Forbid expansion of shared anonymous memory maps on Linux, which caused a bus error. - gh-138010: Fix an issue where defining a class with an @warnings.deprecated-decorated base class may not invoke the correct __init_subclass__() method in cases involving multiple inheritance. Patch by Brian Schubert. - gh-138151: In annotationlib, improve evaluation of forward references to nonlocal variables that are not yet defined when the annotations are initially evaluated. - gh-137317: inspect.signature() now correctly handles classes that use a descriptor on a wrapped __init__() or __new__() method. Contributed by Yongyu Yan. - gh-137754: Fix import of the zoneinfo module if the C implementation of the datetime module is not available. - gh-137490: Handle ECANCELED in the same way as EINTR in signal.sigwaitinfo() on NetBSD. - gh-137477: Fix inspect.getblock(), inspect.getsourcelines() and inspect.getsource() for generator expressions. - gh-137044: Return large limit values as positive integers instead of negative integers in resource.getrlimit(). Accept large values and reject negative values (except RLIM_INFINITY) for limits in resource.setrlimit(). - gh-75989: tarfile.TarFile.extractall() and tarfile.TarFile.extract() now overwrite symlinks when extracting hardlinks. (Contributed by Alexander Enrique Urieles Nieto in gh-75989.) - gh-137017: Fix threading.Thread.is_alive to remain True until the underlying OS thread is fully cleaned up. This avoids false negatives in edge cases involving thread monitoring or premature threading.Thread.is_alive calls. - gh-137273: Fix debug assertion failure in locale.setlocale() on Windows. - gh-137239: heapq: Update heapq.__all__ with *_max functions. - gh-81325: tarfile.TarFile now accepts a path-like when working on a tar archive. (Contributed by Alexander Enrique Urieles Nieto in gh-81325.) - gh-137185: Fix a potential async-signal-safety issue in faulthandler when printing C stack traces. - gh-136914: Fix retrieval of doctest.DocTest.lineno for objects decorated with functools.cache() or functools.cached_property. - gh-136912: hmac.digest() now properly handles large keys and messages by falling back to the pure Python implementation when necessary. Patch by Bénédikt Tran. - gh-83424: Allows creating a ctypes.CDLL without name when passing a handle as an argument. - gh-136234: Fix asyncio.WriteTransport.writelines() to be robust to connection failure, by using the same behavior as write(). - gh-136507: Fix mimetypes CLI to handle multiple file parameters. - gh-136057: Fixed the bug in pdb and bdb where next and step can’t go over the line if a loop exists in the line. - gh-135386: Fix opening a dbm.sqlite3 database for reading from read-only file or directory. - gh-135444: Fix asyncio.DatagramTransport.sendto() to account for datagram header size when data cannot be sent. - gh-126631: Fix multiprocessing forkserver bug which prevented __main__ from being preloaded. - gh-135307: email: Fix exception in set_content() when encoding text and max_line_length is set to 0 or None (unlimited). - gh-134453: Fixed subprocess.Popen.communicate() input= handling of memoryview instances that were non-byte shaped on POSIX platforms. Those are now properly cast to a byte shaped view instead of truncating the input. Windows platforms did not have this bug. - gh-134698: Fix a crash when calling methods of ssl.SSLContext or ssl.SSLSocket across multiple threads. - gh-125996: Fix thread safety of collections.OrderedDict. Patch by Kumar Aditya. - gh-133789: Fix unpickling of pathlib objects that were pickled in Python 3.13. - gh-127081: Fix libc thread safety issues with dbm by performing stateful operations in critical sections. - gh-132551: Make io.BytesIO safe in free-threaded build. - gh-131788: Make ResourceTracker.send from multiprocessing re-entrant safe - gh-118981: Fix potential hang in multiprocessing.popen_spawn_posix that can happen when the child proc dies early by closing the child fds right away. - gh-102431: Clarify constraints for “logical” arguments in methods of decimal.Context. - gh-78319: UTF8 support for the IMAP APPEND command has been made RFC compliant. bpo-38735: Fix failure when importing a module from the root directory on unix-like platforms with sys.pycache_prefix set. bpo-41839: Allow negative priority values from os.sched_get_priority_min() and os.sched_get_priority_max() functions. IDLE - gh-96491: Deduplicate version number in IDLE shell title bar after saving to a file. - gh-139742: Colorize t-string prefixes for template strings in IDLE, as done for f-string prefixes. Documentation - gh-141994: xml.sax.handler: Make Documentation of xml.sax.handler.feature_external_ges warn of opening up to external entity attacks. Patch by Sebastian Pipping. - gh-140578: Remove outdated sencence in the documentation for multiprocessing, that implied that concurrent.futures.ThreadPoolExecutor did not exist. Core and Builtins - gh-142048: Fix quadratically increasing garbage collection delays in free-threaded build. - gh-116738: Fix thread safety issue with re scanner objects in free-threaded builds. - gh-141930: When importing a module, use Python’s regular file object to ensure that writes to .pyc files are complete or an appropriate error is raised. - gh-120158: Fix inconsistent state when enabling or disabling monitoring events too many times. - gh-139653: Only raise a RecursionError or trigger a fatal error if the stack pointer is both below the limit pointer and above the stack base. If outside of these bounds assume that it is OK. This prevents false positives when user-space threads swap stacks. - gh-139103: Improve multithreaded scaling of dataclasses on the free-threaded build. - gh-141579: Fix sys.activate_stack_trampoline() to properly support the perf_jit backend. Patch by Pablo Galindo. - gh-114203: Skip locking if object is already locked by two-mutex critical section. - gh-141528: Suggest using concurrent.interpreters.Interpreter.close() instead of the private _interpreters.destroy function when warning about remaining subinterpreters. Patch by Sergey Miryanov. - gh-141312: Fix the assertion failure in the __setstate__ method of the range iterator when a non-integer argument is passed. Patch by Sergey Miryanov. - gh-116738: Make csv module thread-safe on the free threaded build. - gh-140939: Fix memory leak when bytearray or bytes is formated with the %*b format with a large width that results in a MemoryError. - gh-140260: Fix struct data race in endian table initialization with subinterpreters. Patch by Shamil Abdulaev. - gh-140530: Fix a reference leak when raise exc from cause fails. Patch by Bénédikt Tran. - gh-140373: Correctly emit PY_UNWIND event when generator object is closed. Patch by Mikhail Efimov. - gh-140576: Fixed crash in tokenize.generate_tokens() in case of specific incorrect input. Patch by Mikhail Efimov. - gh-140551: Fixed crash in dict if dict.clear() is called at the lookup stage. Patch by Mikhail Efimov and Inada Naoki. - gh-140517: Fixed a reference leak when iterating over the result of map() with strict=True when the input iterables have different lengths. Patch by Mikhail Efimov. - gh-140471: Fix potential buffer overflow in ast.AST node initialization when encountering malformed _fields containing non-str. - gh-140431: Fix a crash in Python’s garbage collector due to partially initialized coroutine objects when coroutine origin tracking depth is enabled (sys.set_coroutine_origin_tracking_depth()). - gh-140398: Fix memory leaks in readline functions read_init_file(), read_history_file(), write_history_file(), and append_history_file() when PySys_Audit() fails. - gh-140406: Fix memory leak when an object’s __hash__() method returns an object that isn’t an int. - gh-140358: Restore elapsed time and unreachable object count in GC debug output. These were inadvertently removed during a refactor of gc.c. The debug log now again reports elapsed collection time and the number of unreachable objects. Contributed by Pål Grønås Drange. - gh-140306: Fix memory leaks in cross-interpreter channel operations and shared namespace handling. - gh-140301: Fix memory leak of PyConfig in subinterpreters. - gh-140257: Fix data race between interpreter_clear() and take_gil() on eval_breaker during finalization with daemon threads. - gh-139951: Fixes a regression in GC performance for a growing heap composed mostly of small tuples. Counts number of actually tracked objects, instead of trackable objects. This ensures that untracking tuples has the desired effect of reducing GC overhead. Does not track most untrackable tuples during creation. This prevents large numbers of small tuples causing excessive GCs. - gh-140104: Fix a bug with exception handling in the JIT. Patch by Ken Jin. Bug reported by Daniel Diniz. - gh-140061: Fixing the checking of whether an object is uniquely referenced to ensure free-threaded compatibility. Patch by Sergey Miryanov. - gh-140067: Fix memory leak in sub-interpreter creation. - gh-140000: Fix potential memory leak when a reference cycle exists between an instance of typing.TypeAliasType, typing.TypeVar, typing.ParamSpec, or typing.TypeVarTuple and its __name__ attribute. Patch by Mikhail Efimov. - gh-139914: Restore support for HP PA-RISC, which has an upwards-growing stack. - gh-139988: Fix a memory leak when failing to create a Union type. Patch by Bénédikt Tran. - gh-139748: Fix reference leaks in error branches of functions accepting path strings or bytes such as compile() and os.system(). Patch by Bénédikt Tran. - gh-139516: Fix lambda colon erroneously start format spec in f-string in tokenizer. - gh-139640: ast.parse() no longer emits syntax warnings for return/break/continue in finally (see PEP 765) – they are only emitted during compilation. - gh-139640: Fix swallowing some syntax warnings in different modules if they accidentally have the same message and are emitted from the same line. Fix duplicated warnings in the finally block. - gh-63161: Support non-UTF-8 shebang and comments in Python source files if non-UTF-8 encoding is specified. Detect decoding error in comments for default (UTF-8) encoding. Show the line and position of decoding error for default encoding in a traceback. Show the line containing the coding cookie when it conflicts with the BOM in a traceback. - gh-116738: Make mmap thread-safe on the free threaded build. - gh-138558: Fix handling of unusual t-string annotations in annotationlib. Patch by Dave Peck. - gh-134466: Don’t run PyREPL in a degraded environment where setting termios attributes is not allowed. - gh-138944: Fix SyntaxError message when invalid syntax appears on the same line as a valid import ... as ... or from ... import ... as ... statement. Patch by Brian Schubert. - gh-105487: Remove non-existent __copy__(), __deepcopy__(), and __bases__ from the __dir__() entries of types.GenericAlias. - gh-69605: Fix some standard library submodules missing from the REPL auto-completion of imports. - gh-116738: Make cProfile thread-safe on the free threaded build. - gh-138004: On Solaris/Illumos platforms, thread names are now encoded as ASCII to avoid errors on systems (e.g. OpenIndiana) that don’t support non-ASCII names. - gh-137433: Fix a potential deadlock in the free threading build when daemon threads enable or disable profiling or tracing while the main thread is shutting down the interpreter. - gh-137400: Fix a crash in the free threading build when disabling profiling or tracing across all threads with PyEval_SetProfileAllThreads() or PyEval_SetTraceAllThreads() or their Python equivalents threading.settrace_all_threads() and threading.setprofile_all_threads(). - gh-58124: Fix name of the Python encoding in Unicode errors of the code page codec: use “cp65000” and “cp65001” instead of “CP_UTF7” and “CP_UTF8” which are not valid Python code names. Patch by Victor Stinner. - gh-132657: Improve performance of frozenset by removing locks in the free-threading build. - gh-133400: Fixed Ctrl+D (^D) behavior in _pyrepl module to match old pre-3.13 REPL behavior. - gh-128640: Fix a crash when using threads inside of a subinterpreter. C API - gh-137422: Fix free threading race condition in PyImport_AddModuleRef(). It was previously possible for two calls to the function return two different objects, only one of which was stored in sys.modules. - gh-140042: Removed the sqlite3_shutdown call that could cause closing connections for sqlite when used with multiple sub interpreters. - gh-141042: Make qNaN in PyFloat_Pack2() and PyFloat_Pack4(), if while conversion to a narrower precision floating-point format — the remaining after truncation payload will be zero. Patch by Sergey B Kirpichev. - gh-140487: Fix Py_RETURN_NOTIMPLEMENTED in limited C API 3.11 and older: don’t treat Py_NotImplemented as immortal. Patch by Victor Stinner. - gh-140153: Fix Py_REFCNT() definition on limited C API 3.11-3.13. Patch by Victor Stinner. - gh-139653: Add PyUnstable_ThreadState_SetStackProtection() and PyUnstable_ThreadState_ResetStackProtection() functions to set the stack protection base address and stack protection size of a Python thread state. Patch by Victor Stinner. Build - gh-141808: Do not generate the jit stencils twice in case of PGO builds on Windows. - gh-141784: Fix _remote_debugging_module.c compilation on 32-bit Linux. Include Python.h before system headers to make sure that _remote_debugging_module.c uses the same types (ABI) than Python. Patch by Victor Stinner. - gh-140768: Warn when the WASI SDK version doesn’t match what’s supported. - gh-140513: Generate a clear compilation error when _Py_TAIL_CALL_INTERP is enabled but either preserve_none or musttail is not supported. - gh-140189: iOS builds were added to CI. - gh-138489: When cross-compiling for WASI by build_wasm or build_emscripten, the build-details.json step is now included in the build process, just like with native builds. This fixes the libinstall task which requires the build-details.json file during the process. - gh-137618: PYTHON_FOR_REGEN now requires Python 3.10 to Python 3.15. Patch by Adam Turner. - gh-123681: Check the strftime() behavior at runtime instead of at the compile time to support cross-compiling. Remove the internal macro _Py_NORMALIZE_CENTURY. Remove upstreamed patches: - CVE-2025-6075-expandvars-perf-degrad.patch - CVE-2025-8291-consistency-zip64.patch --- ...3-52425-libexpat-2.6.0-backport-15.6.patch | 24 +- CVE-2025-6075-expandvars-perf-degrad.patch | 374 ----------- CVE-2025-8291-consistency-zip64.patch | 306 --------- Python-3.14.0.tar.xz | 3 - Python-3.14.0.tar.xz.sigstore | 1 - Python-3.14.2.tar.xz | 3 + Python-3.14.2.tar.xz.sigstore | 1 + bpo-31046_ensurepip_honours_prefix.patch | 40 +- fix-test-recursion-limit-15.6.patch | 8 +- gh139257-Support-docutils-0.22.patch | 148 ++++- python-3.3.0b1-fix_date_time_compiler.patch | 8 +- python314-base.rpmlintrc | 4 + python314.changes | 609 ++++++++++++++++++ python314.rpmlintrc | 4 + python314.spec | 10 +- 15 files changed, 796 insertions(+), 747 deletions(-) delete mode 100644 CVE-2025-6075-expandvars-perf-degrad.patch delete mode 100644 CVE-2025-8291-consistency-zip64.patch delete mode 100644 Python-3.14.0.tar.xz delete mode 100644 Python-3.14.0.tar.xz.sigstore create mode 100644 Python-3.14.2.tar.xz create mode 100644 Python-3.14.2.tar.xz.sigstore create mode 100644 python314-base.rpmlintrc create mode 100644 python314.rpmlintrc diff --git a/CVE-2023-52425-libexpat-2.6.0-backport-15.6.patch b/CVE-2023-52425-libexpat-2.6.0-backport-15.6.patch index 767e62c..ad6e5c1 100644 --- a/CVE-2023-52425-libexpat-2.6.0-backport-15.6.patch +++ b/CVE-2023-52425-libexpat-2.6.0-backport-15.6.patch @@ -4,11 +4,11 @@ Lib/test/test_xml_etree.py | 10 ++++++++++ 3 files changed, 17 insertions(+) -Index: Python-3.14.0/Lib/test/test_pyexpat.py +Index: Python-3.14.2/Lib/test/test_pyexpat.py =================================================================== ---- Python-3.14.0.orig/Lib/test/test_pyexpat.py 2025-10-08 11:27:29.989583305 +0200 -+++ Python-3.14.0/Lib/test/test_pyexpat.py 2025-10-08 11:28:09.418914658 +0200 -@@ -827,6 +827,10 @@ +--- Python-3.14.2.orig/Lib/test/test_pyexpat.py 2025-12-11 18:10:58.057084164 +0100 ++++ Python-3.14.2/Lib/test/test_pyexpat.py 2025-12-11 18:12:07.480767746 +0100 +@@ -848,6 +848,10 @@ self.assertEqual(started, ['doc']) def test_reparse_deferral_disabled(self): @@ -19,10 +19,10 @@ Index: Python-3.14.0/Lib/test/test_pyexpat.py started = [] def start_element(name, _): -Index: Python-3.14.0/Lib/test/test_sax.py +Index: Python-3.14.2/Lib/test/test_sax.py =================================================================== ---- Python-3.14.0.orig/Lib/test/test_sax.py 2025-10-08 11:27:30.053760879 +0200 -+++ Python-3.14.0/Lib/test/test_sax.py 2025-10-08 11:28:09.419532320 +0200 +--- Python-3.14.2.orig/Lib/test/test_sax.py 2025-12-11 18:10:58.116419305 +0100 ++++ Python-3.14.2/Lib/test/test_sax.py 2025-12-11 18:12:07.481506046 +0100 @@ -1241,6 +1241,9 @@ self.assertEqual(result.getvalue(), start + b"") @@ -33,10 +33,10 @@ Index: Python-3.14.0/Lib/test/test_sax.py def test_flush_reparse_deferral_disabled(self): result = BytesIO() xmlgen = XMLGenerator(result) -Index: Python-3.14.0/Lib/test/test_xml_etree.py +Index: Python-3.14.2/Lib/test/test_xml_etree.py =================================================================== ---- Python-3.14.0.orig/Lib/test/test_xml_etree.py 2025-10-08 11:27:30.502943506 +0200 -+++ Python-3.14.0/Lib/test/test_xml_etree.py 2025-10-08 11:28:09.420206077 +0200 +--- Python-3.14.2.orig/Lib/test/test_xml_etree.py 2025-12-11 18:10:58.548740381 +0100 ++++ Python-3.14.2/Lib/test/test_xml_etree.py 2025-12-11 18:12:07.481767744 +0100 @@ -138,6 +138,11 @@ return mock.patch.object(cls, "__eq__", autospec=True, wraps=eq) @@ -49,7 +49,7 @@ Index: Python-3.14.0/Lib/test/test_xml_etree.py def checkwarnings(*filters, quiet=False): def decorator(test): def newtest(*args, **kwargs): -@@ -1547,9 +1552,11 @@ +@@ -1573,9 +1578,11 @@ self.assert_event_tags(parser, [('end', 'root')]) self.assertIsNone(parser.close()) @@ -61,7 +61,7 @@ Index: Python-3.14.0/Lib/test/test_xml_etree.py def test_simple_xml_chunk_5(self): self.test_simple_xml(chunk_size=5, flush=True) -@@ -1774,6 +1781,9 @@ +@@ -1802,6 +1809,9 @@ self.assert_event_tags(parser, [('end', 'doc')]) diff --git a/CVE-2025-6075-expandvars-perf-degrad.patch b/CVE-2025-6075-expandvars-perf-degrad.patch deleted file mode 100644 index 1cd5bbe..0000000 --- a/CVE-2025-6075-expandvars-perf-degrad.patch +++ /dev/null @@ -1,374 +0,0 @@ -From 5c0bf5295a6a38ee7540e447bcdc4889d131e261 Mon Sep 17 00:00:00 2001 -From: Serhiy Storchaka -Date: Fri, 31 Oct 2025 15:49:51 +0200 -Subject: [PATCH] [3.14] gh-136065: Fix quadratic complexity in - os.path.expandvars() (GH-134952) (cherry picked from commit - f029e8db626ddc6e3a3beea4eff511a71aaceb5c) -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Co-authored-by: Serhiy Storchaka -Co-authored-by: Łukasz Langa ---- - Lib/ntpath.py | 126 ++++++------------ - Lib/posixpath.py | 43 +++--- - Lib/test/test_genericpath.py | 21 ++- - Lib/test/test_ntpath.py | 22 ++- - ...-05-30-22-33-27.gh-issue-136065.bu337o.rst | 1 + - 5 files changed, 96 insertions(+), 117 deletions(-) - create mode 100644 Misc/NEWS.d/next/Security/2025-05-30-22-33-27.gh-issue-136065.bu337o.rst - -diff --git a/Lib/ntpath.py b/Lib/ntpath.py -index 9cdc16480f9afe..01f060e70beed9 100644 ---- a/Lib/ntpath.py -+++ b/Lib/ntpath.py -@@ -400,17 +400,23 @@ def expanduser(path): - # XXX With COMMAND.COM you can use any characters in a variable name, - # XXX except '^|<>='. - -+_varpattern = r"'[^']*'?|%(%|[^%]*%?)|\$(\$|[-\w]+|\{[^}]*\}?)" -+_varsub = None -+_varsubb = None -+ - def expandvars(path): - """Expand shell variables of the forms $var, ${var} and %var%. - - Unknown variables are left unchanged.""" - path = os.fspath(path) -+ global _varsub, _varsubb - if isinstance(path, bytes): - if b'$' not in path and b'%' not in path: - return path -- import string -- varchars = bytes(string.ascii_letters + string.digits + '_-', 'ascii') -- quote = b'\'' -+ if not _varsubb: -+ import re -+ _varsubb = re.compile(_varpattern.encode(), re.ASCII).sub -+ sub = _varsubb - percent = b'%' - brace = b'{' - rbrace = b'}' -@@ -419,94 +425,44 @@ def expandvars(path): - else: - if '$' not in path and '%' not in path: - return path -- import string -- varchars = string.ascii_letters + string.digits + '_-' -- quote = '\'' -+ if not _varsub: -+ import re -+ _varsub = re.compile(_varpattern, re.ASCII).sub -+ sub = _varsub - percent = '%' - brace = '{' - rbrace = '}' - dollar = '$' - environ = os.environ -- res = path[:0] -- index = 0 -- pathlen = len(path) -- while index < pathlen: -- c = path[index:index+1] -- if c == quote: # no expansion within single quotes -- path = path[index + 1:] -- pathlen = len(path) -- try: -- index = path.index(c) -- res += c + path[:index + 1] -- except ValueError: -- res += c + path -- index = pathlen - 1 -- elif c == percent: # variable or '%' -- if path[index + 1:index + 2] == percent: -- res += c -- index += 1 -- else: -- path = path[index+1:] -- pathlen = len(path) -- try: -- index = path.index(percent) -- except ValueError: -- res += percent + path -- index = pathlen - 1 -- else: -- var = path[:index] -- try: -- if environ is None: -- value = os.fsencode(os.environ[os.fsdecode(var)]) -- else: -- value = environ[var] -- except KeyError: -- value = percent + var + percent -- res += value -- elif c == dollar: # variable or '$$' -- if path[index + 1:index + 2] == dollar: -- res += c -- index += 1 -- elif path[index + 1:index + 2] == brace: -- path = path[index+2:] -- pathlen = len(path) -- try: -- index = path.index(rbrace) -- except ValueError: -- res += dollar + brace + path -- index = pathlen - 1 -- else: -- var = path[:index] -- try: -- if environ is None: -- value = os.fsencode(os.environ[os.fsdecode(var)]) -- else: -- value = environ[var] -- except KeyError: -- value = dollar + brace + var + rbrace -- res += value -- else: -- var = path[:0] -- index += 1 -- c = path[index:index + 1] -- while c and c in varchars: -- var += c -- index += 1 -- c = path[index:index + 1] -- try: -- if environ is None: -- value = os.fsencode(os.environ[os.fsdecode(var)]) -- else: -- value = environ[var] -- except KeyError: -- value = dollar + var -- res += value -- if c: -- index -= 1 -+ -+ def repl(m): -+ lastindex = m.lastindex -+ if lastindex is None: -+ return m[0] -+ name = m[lastindex] -+ if lastindex == 1: -+ if name == percent: -+ return name -+ if not name.endswith(percent): -+ return m[0] -+ name = name[:-1] - else: -- res += c -- index += 1 -- return res -+ if name == dollar: -+ return name -+ if name.startswith(brace): -+ if not name.endswith(rbrace): -+ return m[0] -+ name = name[1:-1] -+ -+ try: -+ if environ is None: -+ return os.fsencode(os.environ[os.fsdecode(name)]) -+ else: -+ return environ[name] -+ except KeyError: -+ return m[0] -+ -+ return sub(repl, path) - - - # Normalize a path, e.g. A//B, A/./B and A/foo/../B all become A\B. -diff --git a/Lib/posixpath.py b/Lib/posixpath.py -index d38f3bd5872bcd..ad86cc06c017a0 100644 ---- a/Lib/posixpath.py -+++ b/Lib/posixpath.py -@@ -284,42 +284,41 @@ def expanduser(path): - # This expands the forms $variable and ${variable} only. - # Non-existent variables are left unchanged. - --_varprog = None --_varprogb = None -+_varpattern = r'\$(\w+|\{[^}]*\}?)' -+_varsub = None -+_varsubb = None - - def expandvars(path): - """Expand shell variables of form $var and ${var}. Unknown variables - are left unchanged.""" - path = os.fspath(path) -- global _varprog, _varprogb -+ global _varsub, _varsubb - if isinstance(path, bytes): - if b'$' not in path: - return path -- if not _varprogb: -+ if not _varsubb: - import re -- _varprogb = re.compile(br'\$(\w+|\{[^}]*\})', re.ASCII) -- search = _varprogb.search -+ _varsubb = re.compile(_varpattern.encode(), re.ASCII).sub -+ sub = _varsubb - start = b'{' - end = b'}' - environ = getattr(os, 'environb', None) - else: - if '$' not in path: - return path -- if not _varprog: -+ if not _varsub: - import re -- _varprog = re.compile(r'\$(\w+|\{[^}]*\})', re.ASCII) -- search = _varprog.search -+ _varsub = re.compile(_varpattern, re.ASCII).sub -+ sub = _varsub - start = '{' - end = '}' - environ = os.environ -- i = 0 -- while True: -- m = search(path, i) -- if not m: -- break -- i, j = m.span(0) -- name = m.group(1) -- if name.startswith(start) and name.endswith(end): -+ -+ def repl(m): -+ name = m[1] -+ if name.startswith(start): -+ if not name.endswith(end): -+ return m[0] - name = name[1:-1] - try: - if environ is None: -@@ -327,13 +326,11 @@ def expandvars(path): - else: - value = environ[name] - except KeyError: -- i = j -+ return m[0] - else: -- tail = path[j:] -- path = path[:i] + value -- i = len(path) -- path += tail -- return path -+ return value -+ -+ return sub(repl, path) - - - # Normalize a path, e.g. A//B, A/./B and A/foo/../B all become A/B. -diff --git a/Lib/test/test_genericpath.py b/Lib/test/test_genericpath.py -index df07af01fc7540..1a44cedcd360b1 100644 ---- a/Lib/test/test_genericpath.py -+++ b/Lib/test/test_genericpath.py -@@ -7,9 +7,9 @@ - import sys - import unittest - import warnings --from test.support import ( -- is_apple, is_emscripten, os_helper, warnings_helper --) -+from test import support -+from test.support import os_helper -+from test.support import warnings_helper - from test.support.script_helper import assert_python_ok - from test.support.os_helper import FakePath - -@@ -445,6 +445,19 @@ def check(value, expected): - os.fsencode('$bar%s bar' % nonascii)) - check(b'$spam}bar', os.fsencode('%s}bar' % nonascii)) - -+ @support.requires_resource('cpu') -+ def test_expandvars_large(self): -+ expandvars = self.pathmodule.expandvars -+ with os_helper.EnvironmentVarGuard() as env: -+ env.clear() -+ env["A"] = "B" -+ n = 100_000 -+ self.assertEqual(expandvars('$A'*n), 'B'*n) -+ self.assertEqual(expandvars('${A}'*n), 'B'*n) -+ self.assertEqual(expandvars('$A!'*n), 'B!'*n) -+ self.assertEqual(expandvars('${A}A'*n), 'BA'*n) -+ self.assertEqual(expandvars('${'*10*n), '${'*10*n) -+ - def test_abspath(self): - self.assertIn("foo", self.pathmodule.abspath("foo")) - with warnings.catch_warnings(): -@@ -502,7 +515,7 @@ def test_nonascii_abspath(self): - # directory (when the bytes name is used). - and sys.platform not in { - "win32", "emscripten", "wasi" -- } and not is_apple -+ } and not support.is_apple - ): - name = os_helper.TESTFN_UNDECODABLE - elif os_helper.TESTFN_NONASCII: -diff --git a/Lib/test/test_ntpath.py b/Lib/test/test_ntpath.py -index 03bfccf260b25d..9270f3257068d6 100644 ---- a/Lib/test/test_ntpath.py -+++ b/Lib/test/test_ntpath.py -@@ -7,8 +7,7 @@ - import unittest - import warnings - from test import support --from test.support import cpython_only, os_helper --from test.support import TestFailed -+from test.support import os_helper - from ntpath import ALLOW_MISSING - from test.support.os_helper import FakePath - from test import test_genericpath -@@ -59,7 +58,7 @@ def tester(fn, wantResult): - fn = fn.replace("\\", "\\\\") - gotResult = eval(fn) - if wantResult != gotResult and _norm(wantResult) != _norm(gotResult): -- raise TestFailed("%s should return: %s but returned: %s" \ -+ raise support.TestFailed("%s should return: %s but returned: %s" \ - %(str(fn), str(wantResult), str(gotResult))) - - # then with bytes -@@ -75,7 +74,7 @@ def tester(fn, wantResult): - warnings.simplefilter("ignore", DeprecationWarning) - gotResult = eval(fn) - if _norm(wantResult) != _norm(gotResult): -- raise TestFailed("%s should return: %s but returned: %s" \ -+ raise support.TestFailed("%s should return: %s but returned: %s" \ - %(str(fn), str(wantResult), repr(gotResult))) - - -@@ -1022,6 +1021,19 @@ def check(value, expected): - check('%spam%bar', '%sbar' % nonascii) - check('%{}%bar'.format(nonascii), 'ham%sbar' % nonascii) - -+ @support.requires_resource('cpu') -+ def test_expandvars_large(self): -+ expandvars = ntpath.expandvars -+ with os_helper.EnvironmentVarGuard() as env: -+ env.clear() -+ env["A"] = "B" -+ n = 100_000 -+ self.assertEqual(expandvars('%A%'*n), 'B'*n) -+ self.assertEqual(expandvars('%A%A'*n), 'BA'*n) -+ self.assertEqual(expandvars("''"*n + '%%'), "''"*n + '%') -+ self.assertEqual(expandvars("%%"*n), "%"*n) -+ self.assertEqual(expandvars("$$"*n), "$"*n) -+ - def test_expanduser(self): - tester('ntpath.expanduser("test")', 'test') - -@@ -1439,7 +1451,7 @@ def test_con_device(self): - self.assertTrue(os.path.exists(r"\\.\CON")) - - @unittest.skipIf(sys.platform != 'win32', "Fast paths are only for win32") -- @cpython_only -+ @support.cpython_only - def test_fast_paths_in_use(self): - # There are fast paths of these functions implemented in posixmodule.c. - # Confirm that they are being used, and not the Python fallbacks in -diff --git a/Misc/NEWS.d/next/Security/2025-05-30-22-33-27.gh-issue-136065.bu337o.rst b/Misc/NEWS.d/next/Security/2025-05-30-22-33-27.gh-issue-136065.bu337o.rst -new file mode 100644 -index 00000000000000..1d152bb5318380 ---- /dev/null -+++ b/Misc/NEWS.d/next/Security/2025-05-30-22-33-27.gh-issue-136065.bu337o.rst -@@ -0,0 +1 @@ -+Fix quadratic complexity in :func:`os.path.expandvars`. diff --git a/CVE-2025-8291-consistency-zip64.patch b/CVE-2025-8291-consistency-zip64.patch deleted file mode 100644 index 4a76545..0000000 --- a/CVE-2025-8291-consistency-zip64.patch +++ /dev/null @@ -1,306 +0,0 @@ -From 5454f861e2b3c96fa1e6430dc952544670955f69 Mon Sep 17 00:00:00 2001 -From: Serhiy Storchaka -Date: Tue, 7 Oct 2025 20:15:26 +0300 -Subject: [PATCH] gh-139700: Check consistency of the zip64 end of central - directory record (GH-139702) - -Support records with "zip64 extensible data" if there are no bytes -prepended to the ZIP file. -(cherry picked from commit 162997bb70e067668c039700141770687bc8f267) - -Co-authored-by: Serhiy Storchaka ---- - Lib/test/test_zipfile/test_core.py | 82 +++++++++- - Lib/zipfile/__init__.py | 51 +++--- - Misc/NEWS.d/next/Security/2025-10-07-19-31-34.gh-issue-139700.vNHU1O.rst | 3 - 3 files changed, 113 insertions(+), 23 deletions(-) - create mode 100644 Misc/NEWS.d/next/Security/2025-10-07-19-31-34.gh-issue-139700.vNHU1O.rst - -Index: Python-3.14.0/Lib/test/test_zipfile/test_core.py -=================================================================== ---- Python-3.14.0.orig/Lib/test/test_zipfile/test_core.py 2025-11-12 01:03:54.947094045 +0100 -+++ Python-3.14.0/Lib/test/test_zipfile/test_core.py 2025-11-12 01:04:11.766432381 +0100 -@@ -898,6 +898,8 @@ - self, file_size_64_set=False, file_size_extra=False, - compress_size_64_set=False, compress_size_extra=False, - header_offset_64_set=False, header_offset_extra=False, -+ extensible_data=b'', -+ end_of_central_dir_size=None, offset_to_end_of_central_dir=None, - ): - """Generate bytes sequence for a zip with (incomplete) zip64 data. - -@@ -951,6 +953,12 @@ - - central_dir_size = struct.pack(' 2: - inferred = concat + offset_cd -@@ -289,16 +286,15 @@ - """ - Read the ZIP64 end-of-archive records and use that to update endrec - """ -- try: -- fpin.seek(offset - sizeEndCentDir64Locator, 2) -- except OSError: -- # If the seek fails, the file is not large enough to contain a ZIP64 -+ offset -= sizeEndCentDir64Locator -+ if offset < 0: -+ # The file is not large enough to contain a ZIP64 - # end-of-archive record, so just return the end record we were given. - return endrec -- -+ fpin.seek(offset) - data = fpin.read(sizeEndCentDir64Locator) - if len(data) != sizeEndCentDir64Locator: -- return endrec -+ raise OSError("Unknown I/O error") - sig, diskno, reloff, disks = struct.unpack(structEndArchive64Locator, data) - if sig != stringEndArchive64Locator: - return endrec -@@ -306,16 +302,33 @@ - if diskno != 0 or disks > 1: - raise BadZipFile("zipfiles that span multiple disks are not supported") - -- # Assume no 'zip64 extensible data' -- fpin.seek(offset - sizeEndCentDir64Locator - sizeEndCentDir64, 2) -+ offset -= sizeEndCentDir64 -+ if reloff > offset: -+ raise BadZipFile("Corrupt zip64 end of central directory locator") -+ # First, check the assumption that there is no prepended data. -+ fpin.seek(reloff) -+ extrasz = offset - reloff - data = fpin.read(sizeEndCentDir64) - if len(data) != sizeEndCentDir64: -- return endrec -+ raise OSError("Unknown I/O error") -+ if not data.startswith(stringEndArchive64) and reloff != offset: -+ # Since we already have seen the Zip64 EOCD Locator, it's -+ # possible we got here because there is prepended data. -+ # Assume no 'zip64 extensible data' -+ fpin.seek(offset) -+ extrasz = 0 -+ data = fpin.read(sizeEndCentDir64) -+ if len(data) != sizeEndCentDir64: -+ raise OSError("Unknown I/O error") -+ if not data.startswith(stringEndArchive64): -+ raise BadZipFile("Zip64 end of central directory record not found") -+ - sig, sz, create_version, read_version, disk_num, disk_dir, \ - dircount, dircount2, dirsize, diroffset = \ - struct.unpack(structEndArchive64, data) -- if sig != stringEndArchive64: -- return endrec -+ if (diroffset + dirsize != reloff or -+ sz + 12 != sizeEndCentDir64 + extrasz): -+ raise BadZipFile("Corrupt zip64 end of central directory record") - - # Update the original endrec using data from the ZIP64 record - endrec[_ECD_SIGNATURE] = sig -@@ -325,6 +338,7 @@ - endrec[_ECD_ENTRIES_TOTAL] = dircount2 - endrec[_ECD_SIZE] = dirsize - endrec[_ECD_OFFSET] = diroffset -+ endrec[_ECD_LOCATION] = offset - extrasz - return endrec - - -@@ -358,7 +372,7 @@ - endrec.append(filesize - sizeEndCentDir) - - # Try to read the "Zip64 end of central directory" structure -- return _EndRecData64(fpin, -sizeEndCentDir, endrec) -+ return _EndRecData64(fpin, filesize - sizeEndCentDir, endrec) - - # Either this is not a ZIP file, or it is a ZIP file with an archive - # comment. Search the end of the file for the "end of central directory" -@@ -382,8 +396,7 @@ - endrec.append(maxCommentStart + start) - - # Try to read the "Zip64 end of central directory" structure -- return _EndRecData64(fpin, maxCommentStart + start - filesize, -- endrec) -+ return _EndRecData64(fpin, maxCommentStart + start, endrec) - - # Unable to find a valid end of central directory structure - return None -@@ -2142,7 +2155,7 @@ - " would require ZIP64 extensions") - zip64endrec = struct.pack( - structEndArchive64, stringEndArchive64, -- 44, 45, 45, 0, 0, centDirCount, centDirCount, -+ sizeEndCentDir64 - 12, 45, 45, 0, 0, centDirCount, centDirCount, - centDirSize, centDirOffset) - self.fp.write(zip64endrec) - -Index: Python-3.14.0/Misc/NEWS.d/next/Security/2025-10-07-19-31-34.gh-issue-139700.vNHU1O.rst -=================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ Python-3.14.0/Misc/NEWS.d/next/Security/2025-10-07-19-31-34.gh-issue-139700.vNHU1O.rst 2025-11-12 01:04:11.767493557 +0100 -@@ -0,0 +1,3 @@ -+Check consistency of the zip64 end of central directory record. Support -+records with "zip64 extensible data" if there are no bytes prepended to the -+ZIP file. diff --git a/Python-3.14.0.tar.xz b/Python-3.14.0.tar.xz deleted file mode 100644 index 7b2299a..0000000 --- a/Python-3.14.0.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:2299dae542d395ce3883aca00d3c910307cd68e0b2f7336098c8e7b7eee9f3e9 -size 23595844 diff --git a/Python-3.14.0.tar.xz.sigstore b/Python-3.14.0.tar.xz.sigstore deleted file mode 100644 index 2ebe860..0000000 --- a/Python-3.14.0.tar.xz.sigstore +++ /dev/null @@ -1 +0,0 @@ -{"mediaType": "application/vnd.dev.sigstore.bundle.v0.3+json", "verificationMaterial": {"certificate": {"rawBytes": "MIICzjCCAlOgAwIBAgIUaFNOs99+mdUwhWuy93hUKegEDvowCgYIKoZIzj0EAwMwNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRlcm1lZGlhdGUwHhcNMjUxMDA3MTQxNjE4WhcNMjUxMDA3MTQyNjE4WjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEB4Zs7yR5znQ3xOtA7ekHhkbjmt11y4B0kYTAt5K3MmjxgyQ/FOzoGbiNgP1p76I5OFwbECeL6RtxqjSwJPoj9aOCAXIwggFuMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQU6Jy2V0oQb2tmHwImrQplvua+1WkwHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4YZD8wHQYDVR0RAQH/BBMwEYEPaHVnb0BweXRob24ub3JnMCwGCisGAQQBg78wAQEEHmh0dHBzOi8vZ2l0aHViLmNvbS9sb2dpbi9vYXV0aDAuBgorBgEEAYO/MAEIBCAMHmh0dHBzOi8vZ2l0aHViLmNvbS9sb2dpbi9vYXV0aDCBiQYKKwYBBAHWeQIEAgR7BHkAdwB1AN09MGrGxxEyYxkeHJlnNwKiSl643jyt/4eKcoAvKe6OAAABmb8HuYwAAAQDAEYwRAIgZd3lZo6EQ8hFKJ1SnKnh/pOXyLVUxesmKPdZLI/IddsCIHbkeFmcOlHbGXvzusuMaF7GDoHgfjCRXvFE1kPVSPdUMAoGCCqGSM49BAMDA2kAMGYCMQCF3LWgo5EPOs6y59yMkN8HDY/PuX+rch7scxcXUR8K+6BNw1dS8i1nGRkIvE/ttF8CMQCG6z4lu2ekjwZBMx69OmDsUlrQjOvrxmWX3pbLh4Aam7sS25DCYvVFul4RmPg/sJg="}, "tlogEntries": [{"logIndex": "588222392", "logId": {"keyId": "wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0="}, "kindVersion": {"kind": "hashedrekord", "version": "0.0.1"}, "integratedTime": "1759846578", "inclusionPromise": {"signedEntryTimestamp": "MEQCIBS/mvM2EUceWygdN+NmnJMehkFY1fRkmVmmDNICfxWVAiAoN7Vofd2SVuJYSxO/onzd87/3bWNogJlDvI7uZSTR1Q=="}, "inclusionProof": {"logIndex": "466318130", "rootHash": "RcerGwX5+QIiZjrznmUlSGFvuGAq3RMLk/7Aj/T6M3I=", "treeSize": "466318146", "hashes": ["5uTZFkdYgFmKJJdqzeeKZfjnq5Mx9K0tDsF0fjJzkCk=", "RL5Hp6IOaxPi5M/m3s97bDoAnRux0/JBccJ4+/B1vro=", "JYAmi+fU2/Su8fHV3tfQcbY//eCoHsfd2H7O1hs6HIQ=", "BbdwHf9ld92J1gFR6vWH/Gv+L9YTGwWAQytyDm+6jYc=", "J0rXI11jq+mZyPMktZmo2UlHPQw0Wyl70FQBNujJJog=", "tcYxYlxPe1g09Dr+wGWIPrCmHuFjjjwqZ4gRokgj4zE=", "X0IhqC7U/8YmeUILMTYIvlKoBEAX3aFw3IWHNcfJifc=", "kQWzYHtEr0Vhaq6Z6v4TIiuia6GrJLKcYKs25NPvkms=", "WjmJ5Vrat53AbuDR9WjO4SQADjlfkyyq+bKkkBO984w=", "k9qNU1WjJDQJ+e4prrbcOORJ5aMBlkIBACMsgKoANg0=", "Z7pLmTcnciyz67VEWMgPwiokTg9JVUQWrPf+VS85VlA=", "y/7hUHbXERsQubPR1m2uvZSz3rFsW3d9dP51hoTyX/U=", "19j/ye5CX1xbsCqb7Xkr1O2BXIOAWPwZsn7TDtr6UVc=", "JVKPJjj8WVb6G2sYzX+4PL9fC+4qskYANlO6/TIjQsE=", "XTHRaE0cHDl9HYIIwtlwjCK2+pmMP8G2rv801RmA0U8=", "ujcC9wUGq4yMg4Sr83ZRaheYdJguBWXGhnp101NfbMo=", "Kcf5veFWCVXREqqw2Q7rOJD3ttDxBxePywSepmjiSGo=", "5J6N5aNEMk6YY8lPNH0zZx95RNICDJ12cMAmpwtvGTo=", "/buh7NyeUdCgJPdaMbTAtiQpMkNHhk+xMsI2shkTieM=", "1mfy94KpcItqshH9+gwqV6jccupcaMpVsF28New8zDY=", "vS7O4ozHIQZJWBiov+mkpI27GE8zAmVCEkRcP3NDyNE="], "checkpoint": {"envelope": "rekor.sigstore.dev - 1193050959916656506\n466318146\nRcerGwX5+QIiZjrznmUlSGFvuGAq3RMLk/7Aj/T6M3I=\n\n\u2014 rekor.sigstore.dev wNI9ajBFAiEA9LofhlufYOpmdGvOuS7AvxT5koyDoOFWNEhobBt+UgYCICpTORyuqmFZWs8D1FJAry4ohDUWTSw3JegUDlUUtr3z\n"}}, "canonicalizedBody": "eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiIyMjk5ZGFlNTQyZDM5NWNlMzg4M2FjYTAwZDNjOTEwMzA3Y2Q2OGUwYjJmNzMzNjA5OGM4ZTdiN2VlZTlmM2U5In19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FVUNJUUNQWEhJOW9MdVNJL3RoVDg1ZXBkWlVWakh4d1M4OFpTTExLcjFmWnprWGJnSWdTUFY3ZnV1dytISGhCazljNGlBWGlCNVBJRWdMQ1kwTTVVaXNUM3h1QUcwPSIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2sxSlNVTjZha05EUVd4UFowRjNTVUpCWjBsVllVWk9UM001T1N0dFpGVjNhRmQxZVRremFGVkxaV2RGUkhadmQwTm5XVWxMYjFwSmVtb3dSVUYzVFhjS1RucEZWazFDVFVkQk1WVkZRMmhOVFdNeWJHNWpNMUoyWTIxVmRWcEhWakpOVWpSM1NFRlpSRlpSVVVSRmVGWjZZVmRrZW1SSE9YbGFVekZ3WW01U2JBcGpiVEZzV2tkc2FHUkhWWGRJYUdOT1RXcFZlRTFFUVROTlZGRjRUbXBGTkZkb1kwNU5hbFY0VFVSQk0wMVVVWGxPYWtVMFYycEJRVTFHYTNkRmQxbElDa3R2V2tsNmFqQkRRVkZaU1V0dldrbDZhakJFUVZGalJGRm5RVVZDTkZwek4zbFNOWHB1VVRONFQzUkJOMlZyU0doclltcHRkREV4ZVRSQ01HdFpWRUVLZERWTE0wMXRhbmhuZVZFdlJrOTZiMGRpYVU1blVERndOelpKTlU5R2QySkZRMlZNTmxKMGVIRnFVM2RLVUc5cU9XRlBRMEZZU1hkblowWjFUVUUwUndwQk1WVmtSSGRGUWk5M1VVVkJkMGxJWjBSQlZFSm5UbFpJVTFWRlJFUkJTMEpuWjNKQ1owVkdRbEZqUkVGNlFXUkNaMDVXU0ZFMFJVWm5VVlUyU25reUNsWXdiMUZpTW5SdFNIZEpiWEpSY0d4MmRXRXJNVmRyZDBoM1dVUldVakJxUWtKbmQwWnZRVlV6T1ZCd2VqRlphMFZhWWpWeFRtcHdTMFpYYVhocE5Ga0tXa1E0ZDBoUldVUldVakJTUVZGSUwwSkNUWGRGV1VWUVlVaFdibUl3UW5kbFdGSnZZakkwZFdJelNtNU5RM2RIUTJselIwRlJVVUpuTnpoM1FWRkZSUXBJYldnd1pFaENlazlwT0haYU1td3dZVWhXYVV4dFRuWmlVemx6WWpKa2NHSnBPWFpaV0ZZd1lVUkJkVUpuYjNKQ1owVkZRVmxQTDAxQlJVbENRMEZOQ2todGFEQmtTRUo2VDJrNGRsb3liREJoU0ZacFRHMU9kbUpUT1hOaU1tUndZbWs1ZGxsWVZqQmhSRU5DYVZGWlMwdDNXVUpDUVVoWFpWRkpSVUZuVWpjS1FraHJRV1IzUWpGQlRqQTVUVWR5UjNoNFJYbFplR3RsU0Vwc2JrNTNTMmxUYkRZME0ycDVkQzgwWlV0amIwRjJTMlUyVDBGQlFVSnRZamhJZFZsM1FRcEJRVkZFUVVWWmQxSkJTV2RhWkROc1dtODJSVkU0YUVaTFNqRlRia3R1YUM5d1QxaDVURlpWZUdWemJVdFFaRnBNU1M5SlpHUnpRMGxJWW10bFJtMWpDazlzU0dKSFdIWjZkWE4xVFdGR04wZEViMGhuWm1wRFVsaDJSa1V4YTFCV1UxQmtWVTFCYjBkRFEzRkhVMDAwT1VKQlRVUkJNbXRCVFVkWlEwMVJRMFlLTTB4WFoyODFSVkJQY3paNU5UbDVUV3RPT0VoRVdTOVFkVmdyY21Ob04zTmplR05ZVlZJNFN5czJRazUzTVdSVE9Ha3hia2RTYTBsMlJTOTBkRVk0UXdwTlVVTkhObm8wYkhVeVpXdHFkMXBDVFhnMk9VOXRSSE5WYkhKUmFrOTJjbmh0VjFnemNHSk1hRFJCWVcwM2MxTXlOVVJEV1haV1JuVnNORkp0VUdjdkNuTktaejBLTFMwdExTMUZUa1FnUTBWU1ZFbEdTVU5CVkVVdExTMHRMUW89In19fX0="}]}, "messageSignature": {"messageDigest": {"algorithm": "SHA2_256", "digest": "Ipna5ULTlc44g6ygDTyRAwfNaOCy9zNgmMjnt+7p8+k="}, "signature": "MEUCIQCPXHI9oLuSI/thT85epdZUVjHxwS88ZSLLKr1fZzkXbgIgSPV7fuuw+HHhBk9c4iAXiB5PIEgLCY0M5UisT3xuAG0="}} diff --git a/Python-3.14.2.tar.xz b/Python-3.14.2.tar.xz new file mode 100644 index 0000000..3b03ed3 --- /dev/null +++ b/Python-3.14.2.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:ce543ab854bc256b61b71e9b27f831ffd1bfd60a479d639f8be7f9757cf573e9 +size 23566248 diff --git a/Python-3.14.2.tar.xz.sigstore b/Python-3.14.2.tar.xz.sigstore new file mode 100644 index 0000000..5c9cd40 --- /dev/null +++ b/Python-3.14.2.tar.xz.sigstore @@ -0,0 +1 @@ +{"mediaType": "application/vnd.dev.sigstore.bundle.v0.3+json", "verificationMaterial": {"certificate": {"rawBytes": "MIICzjCCAlSgAwIBAgIUDsC7oWnW0l9pHr41nnkmS1oOYd4wCgYIKoZIzj0EAwMwNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRlcm1lZGlhdGUwHhcNMjUxMjA1MjAwMTUzWhcNMjUxMjA1MjAxMTUzWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEZEAAJg3xeYECyl7becytac2kIE1oFgQuGjrjBzXQG27d8TeQqTZtRdL5oZOCZt1y/DDoBfdbWul1CPovG+7z2aOCAXMwggFvMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUl4K9C9akjTSm/al0xnJmeooQq/kwHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4YZD8wHQYDVR0RAQH/BBMwEYEPaHVnb0BweXRob24ub3JnMCwGCisGAQQBg78wAQEEHmh0dHBzOi8vZ2l0aHViLmNvbS9sb2dpbi9vYXV0aDAuBgorBgEEAYO/MAEIBCAMHmh0dHBzOi8vZ2l0aHViLmNvbS9sb2dpbi9vYXV0aDCBigYKKwYBBAHWeQIEAgR8BHoAeAB2AN09MGrGxxEyYxkeHJlnNwKiSl643jyt/4eKcoAvKe6OAAABmvAbUOYAAAQDAEcwRQIgRbXsQrWV8kdhD5tMMwX5Iy2LWWHxil6V5J/mXp+/9/gCIQCwBHKBpWN3SR6/TLPr7oZCZYQB+z5q8lVqybvZSaLS4TAKBggqhkjOPQQDAwNoADBlAjBL6XGjsOPP/N74Rcw3v7CCoe23bfyE18w/XdxmJAsj9Xr6pRdpcRuEytFeLdZWIqICMQDJL2czjBTiWUkqrLq31Cvp+fQhuGSp9IZsVbTo+j6tSzfa1dwu0sy2kjBtlcRbYVs="}, "tlogEntries": [{"logIndex": "743606302", "logId": {"keyId": "wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0="}, "kindVersion": {"kind": "hashedrekord", "version": "0.0.1"}, "integratedTime": "1764964913", "inclusionPromise": {"signedEntryTimestamp": "MEQCIFnGvsHdMeYy8nrwtVTdv/PaR1aTDwf9Yrv2GjdsNsw+AiAR2o0BrjcFe8TjxbWreTwZ/Kt3zeGSi15x+znz2Ocr9g=="}, "inclusionProof": {"logIndex": "621702040", "rootHash": "dVHtSx74n1EVKTr8ZkEoUDJHV2piMrM5Jyo3x2f8GEU=", "treeSize": "621702042", "hashes": ["Kn+73i6MNIgHE1cdeyArBBdDm+sBwxxKKBO/Y8hPFik=", "21huZMFAhYUSB3tH7/d0+H+OjdndnWoE53mHoRBShZo=", "t3/3NnomBwpQQ/dit38qL8n8ICrN1dqZtiqcYM17fxU=", "e5OOoHIJrUS+lsIZNNLgCqLnU7fsgOINTlSFPPMOK+4=", "ETAkx6N//tEwnhFB+hjwavO9F2M4JBBCbK+W/kZLg0Q=", "mamQezujujSnmKn/0+ueS2xlFZCYg0G6tTjNZ1ezFH0=", "KY+mZ6XMnzG1xo3I/kVu9Uw9DK3UKfa4PXt7i4ElYpQ=", "IaVIX1Ns+gb7uyNW1PFOI2Eko8sf6VyOvY+1txNb27I=", "NTzWPyfxc1IPzv49Nng3yy1Ri5Y94teOI4RQNzzPwik=", "NxaZXwQFBXq44JqVMKZx4KkC0y7CIoG4GsV3H+ntf6w=", "YYvp7Leoq6lF3zEs+Bux7BQt/UrxFbOOJAwVroBevek=", "pQtmpjszxrel2u+2I5HrLBwlwvhc19nfAUsa5EHZAe4=", "0jEq6eagxqoSOor9OR//fY6uOsPzLaE1q1n9tZRzfSc=", "ZmUkYkHBy1B723JrEgiKvepTdHYrP6y2a4oODYvi5VY=", "T4DqWD42hAtN+vX8jKCWqoC4meE4JekI9LxYGCcPy1M="], "checkpoint": {"envelope": "rekor.sigstore.dev - 1193050959916656506\n621702042\ndVHtSx74n1EVKTr8ZkEoUDJHV2piMrM5Jyo3x2f8GEU=\n\n\u2014 rekor.sigstore.dev wNI9ajBEAiBERVmx1IGpoQwrsH/RebrgT8NR5mfKLcAa+Mr2DM8VuwIgYHEm0SHrV47gTZwUWt6Ck5Tk3SR6JNQgUCbIntbUQyc=\n"}}, "canonicalizedBody": "eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiJjZTU0M2FiODU0YmMyNTZiNjFiNzFlOWIyN2Y4MzFmZmQxYmZkNjBhNDc5ZDYzOWY4YmU3Zjk3NTdjZjU3M2U5In19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FVUNJUUNnZFNxNGV0K0J5OTRMS2o1Zyt6MHlTcnlwbW03KzliQlBsVS8vNlVlYmJBSWdZSWFTUG5NSGp2a2wvMFMyTGFJU0lFZmZueVVSKzJsYWRZT21ZdnhNNFVJPSIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2sxSlNVTjZha05EUVd4VFowRjNTVUpCWjBsVlJITkROMjlYYmxjd2JEbHdTSEkwTVc1dWEyMVRNVzlQV1dRMGQwTm5XVWxMYjFwSmVtb3dSVUYzVFhjS1RucEZWazFDVFVkQk1WVkZRMmhOVFdNeWJHNWpNMUoyWTIxVmRWcEhWakpOVWpSM1NFRlpSRlpSVVVSRmVGWjZZVmRrZW1SSE9YbGFVekZ3WW01U2JBcGpiVEZzV2tkc2FHUkhWWGRJYUdOT1RXcFZlRTFxUVRGTmFrRjNUVlJWZWxkb1kwNU5hbFY0VFdwQk1VMXFRWGhOVkZWNlYycEJRVTFHYTNkRmQxbElDa3R2V2tsNmFqQkRRVkZaU1V0dldrbDZhakJFUVZGalJGRm5RVVZhUlVGQlNtY3plR1ZaUlVONWJEZGlaV041ZEdGak1tdEpSVEZ2Um1kUmRVZHFjbW9LUW5wWVVVY3lOMlE0VkdWUmNWUmFkRkprVERWdldrOURXblF4ZVM5RVJHOUNabVJpVjNWc01VTlFiM1pIS3pkNk1tRlBRMEZZVFhkblowWjJUVUUwUndwQk1WVmtSSGRGUWk5M1VVVkJkMGxJWjBSQlZFSm5UbFpJVTFWRlJFUkJTMEpuWjNKQ1owVkdRbEZqUkVGNlFXUkNaMDVXU0ZFMFJVWm5VVlZzTkVzNUNrTTVZV3RxVkZOdEwyRnNNSGh1U20xbGIyOVJjUzlyZDBoM1dVUldVakJxUWtKbmQwWnZRVlV6T1ZCd2VqRlphMFZhWWpWeFRtcHdTMFpYYVhocE5Ga0tXa1E0ZDBoUldVUldVakJTUVZGSUwwSkNUWGRGV1VWUVlVaFdibUl3UW5kbFdGSnZZakkwZFdJelNtNU5RM2RIUTJselIwRlJVVUpuTnpoM1FWRkZSUXBJYldnd1pFaENlazlwT0haYU1td3dZVWhXYVV4dFRuWmlVemx6WWpKa2NHSnBPWFpaV0ZZd1lVUkJkVUpuYjNKQ1owVkZRVmxQTDAxQlJVbENRMEZOQ2todGFEQmtTRUo2VDJrNGRsb3liREJoU0ZacFRHMU9kbUpUT1hOaU1tUndZbWs1ZGxsWVZqQmhSRU5DYVdkWlMwdDNXVUpDUVVoWFpWRkpSVUZuVWpnS1FraHZRV1ZCUWpKQlRqQTVUVWR5UjNoNFJYbFplR3RsU0Vwc2JrNTNTMmxUYkRZME0ycDVkQzgwWlV0amIwRjJTMlUyVDBGQlFVSnRka0ZpVlU5WlFRcEJRVkZFUVVWamQxSlJTV2RTWWxoelVYSlhWamhyWkdoRU5YUk5UWGRZTlVsNU1reFhWMGg0YVd3MlZqVktMMjFZY0Nzdk9TOW5RMGxSUTNkQ1NFdENDbkJYVGpOVFVqWXZWRXhRY2pkdldrTmFXVkZDSzNvMWNUaHNWbkY1WW5aYVUyRk1VelJVUVV0Q1oyZHhhR3RxVDFCUlVVUkJkMDV2UVVSQ2JFRnFRa3dLTmxoSGFuTlBVRkF2VGpjMFVtTjNNM1kzUTBOdlpUSXpZbVo1UlRFNGR5OVlaSGh0U2tGemFqbFljalp3VW1Sd1kxSjFSWGwwUm1WTVpGcFhTWEZKUXdwTlVVUktUREpqZW1wQ1ZHbFhWV3R4Y2t4eE16RkRkbkFyWmxGb2RVZFRjRGxKV25OV1lsUnZLMm8yZEZONlptRXhaSGQxTUhONU1tdHFRblJzWTFKaUNsbFdjejBLTFMwdExTMUZUa1FnUTBWU1ZFbEdTVU5CVkVVdExTMHRMUW89In19fX0="}], "timestampVerificationData": {}}, "messageSignature": {"messageDigest": {"algorithm": "SHA2_256", "digest": "zlQ6uFS8JWthtx6bJ/gx/9G/1gpHnWOfi+f5dXz1c+k="}, "signature": "MEUCIQCgdSq4et+By94LKj5g+z0ySrypmm7+9bBPlU//6UebbAIgYIaSPnMHjvkl/0S2LaISIEffnyUR+2ladYOmYvxM4UI="}} diff --git a/bpo-31046_ensurepip_honours_prefix.patch b/bpo-31046_ensurepip_honours_prefix.patch index a962e30..081e7f7 100644 --- a/bpo-31046_ensurepip_honours_prefix.patch +++ b/bpo-31046_ensurepip_honours_prefix.patch @@ -13,11 +13,11 @@ Co-Authored-By: Xavier de Gaye 5 files changed, 37 insertions(+), 9 deletions(-) create mode 100644 Misc/NEWS.d/next/Build/2019-12-16-17-50-42.bpo-31046.XA-Qfr.rst -Index: Python-3.14.0rc1/Doc/library/ensurepip.rst +Index: Python-3.14.2/Doc/library/ensurepip.rst =================================================================== ---- Python-3.14.0rc1.orig/Doc/library/ensurepip.rst 2025-07-22 18:42:44.000000000 +0200 -+++ Python-3.14.0rc1/Doc/library/ensurepip.rst 2025-07-23 10:10:31.690342385 +0200 -@@ -61,7 +61,11 @@ +--- Python-3.14.2.orig/Doc/library/ensurepip.rst 2025-12-11 18:11:54.214805989 +0100 ++++ Python-3.14.2/Doc/library/ensurepip.rst 2025-12-11 18:12:02.573781892 +0100 +@@ -65,7 +65,11 @@ By default, ``pip`` is installed into the current virtual environment (if one is active) or into the system site packages (if there is no active virtual environment). The installation location can be controlled @@ -30,7 +30,7 @@ Index: Python-3.14.0rc1/Doc/library/ensurepip.rst .. option:: --root -@@ -102,7 +106,7 @@ +@@ -106,7 +110,7 @@ Returns a string specifying the available version of pip that will be installed when bootstrapping an environment. @@ -39,7 +39,7 @@ Index: Python-3.14.0rc1/Doc/library/ensurepip.rst altinstall=False, default_pip=False, \ verbosity=0) -@@ -112,6 +116,8 @@ +@@ -116,6 +120,8 @@ If *root* is ``None``, then installation uses the default install location for the current environment. @@ -48,7 +48,7 @@ Index: Python-3.14.0rc1/Doc/library/ensurepip.rst *upgrade* indicates whether or not to upgrade an existing installation of an earlier version of ``pip`` to the available version. -@@ -132,6 +138,8 @@ +@@ -136,6 +142,8 @@ *verbosity* controls the level of output to :data:`sys.stdout` from the bootstrapping operation. @@ -57,10 +57,10 @@ Index: Python-3.14.0rc1/Doc/library/ensurepip.rst .. audit-event:: ensurepip.bootstrap root ensurepip.bootstrap .. note:: -Index: Python-3.14.0rc1/Lib/ensurepip/__init__.py +Index: Python-3.14.2/Lib/ensurepip/__init__.py =================================================================== ---- Python-3.14.0rc1.orig/Lib/ensurepip/__init__.py 2025-07-23 10:10:18.541751619 +0200 -+++ Python-3.14.0rc1/Lib/ensurepip/__init__.py 2025-07-23 10:10:31.690818287 +0200 +--- Python-3.14.2.orig/Lib/ensurepip/__init__.py 2025-12-11 18:11:54.214805989 +0100 ++++ Python-3.14.2/Lib/ensurepip/__init__.py 2025-12-11 18:12:02.574381834 +0100 @@ -106,27 +106,27 @@ os.environ['PIP_CONFIG_FILE'] = os.devnull @@ -123,10 +123,10 @@ Index: Python-3.14.0rc1/Lib/ensurepip/__init__.py upgrade=args.upgrade, user=args.user, verbosity=args.verbosity, -Index: Python-3.14.0rc1/Lib/test/test_ensurepip.py +Index: Python-3.14.2/Lib/test/test_ensurepip.py =================================================================== ---- Python-3.14.0rc1.orig/Lib/test/test_ensurepip.py 2025-07-23 10:10:19.969641992 +0200 -+++ Python-3.14.0rc1/Lib/test/test_ensurepip.py 2025-07-23 10:10:31.691217643 +0200 +--- Python-3.14.2.orig/Lib/test/test_ensurepip.py 2025-12-11 18:11:54.214805989 +0100 ++++ Python-3.14.2/Lib/test/test_ensurepip.py 2025-12-11 18:12:02.574698987 +0100 @@ -100,6 +100,17 @@ unittest.mock.ANY, ) @@ -145,11 +145,11 @@ Index: Python-3.14.0rc1/Lib/test/test_ensurepip.py def test_bootstrapping_with_user(self): ensurepip.bootstrap(user=True) -Index: Python-3.14.0rc1/Makefile.pre.in +Index: Python-3.14.2/Makefile.pre.in =================================================================== ---- Python-3.14.0rc1.orig/Makefile.pre.in 2025-07-23 10:10:27.325708066 +0200 -+++ Python-3.14.0rc1/Makefile.pre.in 2025-07-23 10:10:31.691716104 +0200 -@@ -2371,7 +2371,7 @@ +--- Python-3.14.2.orig/Makefile.pre.in 2025-12-11 18:11:58.776792838 +0100 ++++ Python-3.14.2/Makefile.pre.in 2025-12-11 18:12:02.575189138 +0100 +@@ -2375,7 +2375,7 @@ install|*) ensurepip="" ;; \ esac; \ $(RUNSHARED) $(PYTHON_FOR_BUILD) -m ensurepip \ @@ -158,7 +158,7 @@ Index: Python-3.14.0rc1/Makefile.pre.in fi .PHONY: altinstall -@@ -2382,7 +2382,7 @@ +@@ -2386,7 +2386,7 @@ install|*) ensurepip="--altinstall" ;; \ esac; \ $(RUNSHARED) $(PYTHON_FOR_BUILD) -m ensurepip \ @@ -167,9 +167,9 @@ Index: Python-3.14.0rc1/Makefile.pre.in fi .PHONY: commoninstall -Index: Python-3.14.0rc1/Misc/NEWS.d/next/Build/2019-12-16-17-50-42.bpo-31046.XA-Qfr.rst +Index: Python-3.14.2/Misc/NEWS.d/next/Build/2019-12-16-17-50-42.bpo-31046.XA-Qfr.rst =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ Python-3.14.0rc1/Misc/NEWS.d/next/Build/2019-12-16-17-50-42.bpo-31046.XA-Qfr.rst 2025-07-23 10:10:31.692253536 +0200 ++++ Python-3.14.2/Misc/NEWS.d/next/Build/2019-12-16-17-50-42.bpo-31046.XA-Qfr.rst 2025-12-11 18:12:02.575697168 +0100 @@ -0,0 +1 @@ +A directory prefix can now be specified when using :mod:`ensurepip`. diff --git a/fix-test-recursion-limit-15.6.patch b/fix-test-recursion-limit-15.6.patch index 27d05e0..3f701f1 100644 --- a/fix-test-recursion-limit-15.6.patch +++ b/fix-test-recursion-limit-15.6.patch @@ -2,10 +2,10 @@ Lib/test/test_compile.py | 5 +++++ 1 file changed, 5 insertions(+) -Index: Python-3.14.0/Lib/test/test_compile.py +Index: Python-3.14.2/Lib/test/test_compile.py =================================================================== ---- Python-3.14.0.orig/Lib/test/test_compile.py 2025-11-06 23:19:11.681015028 +0100 -+++ Python-3.14.0/Lib/test/test_compile.py 2025-11-06 23:22:47.971267371 +0100 +--- Python-3.14.2.orig/Lib/test/test_compile.py 2025-12-11 18:10:57.011786647 +0100 ++++ Python-3.14.2/Lib/test/test_compile.py 2025-12-11 18:12:09.732814688 +0100 @@ -24,6 +24,9 @@ from test.support.bytecode_helper import instructions_with_positions from test.support.os_helper import FakePath @@ -24,7 +24,7 @@ Index: Python-3.14.0/Lib/test/test_compile.py @support.skip_emscripten_stack_overflow() def test_extended_arg(self): repeat = 100 -@@ -709,6 +713,7 @@ +@@ -724,6 +728,7 @@ @support.cpython_only @unittest.skipIf(support.is_wasi, "exhausts limited stack on WASI") diff --git a/gh139257-Support-docutils-0.22.patch b/gh139257-Support-docutils-0.22.patch index 9e26f6f..fa52df3 100644 --- a/gh139257-Support-docutils-0.22.patch +++ b/gh139257-Support-docutils-0.22.patch @@ -4,33 +4,151 @@ Date: Tue, 23 Sep 2025 10:20:16 +0200 Subject: [PATCH 1/2] gh-139257: Support docutils >= 0.22 --- - Doc/tools/extensions/pyspecific.py | 12 +++++++++++- - 1 file changed, 11 insertions(+), 1 deletion(-) + Doc/tools/extensions/pyspecific.py | 68 +++++++++++++++++++++++++------------ + 1 file changed, 46 insertions(+), 22 deletions(-) -Index: Python-3.14.0/Doc/tools/extensions/pyspecific.py +Index: Python-3.14.2/Doc/tools/extensions/pyspecific.py =================================================================== ---- Python-3.14.0.orig/Doc/tools/extensions/pyspecific.py -+++ Python-3.14.0/Doc/tools/extensions/pyspecific.py -@@ -25,11 +25,21 @@ from sphinx.util.docutils import SphinxD - SOURCE_URI = 'https://github.com/python/cpython/tree/3.14/%s' +--- Python-3.14.2.orig/Doc/tools/extensions/pyspecific.py 2025-12-05 17:49:16.000000000 +0100 ++++ Python-3.14.2/Doc/tools/extensions/pyspecific.py 2025-12-11 18:15:44.936875242 +0100 +@@ -1,12 +1,12 @@ + # -*- coding: utf-8 -*- + """ +- pyspecific.py +- ~~~~~~~~~~~~~ ++pyspecific.py ++~~~~~~~~~~~~~ - # monkey-patch reST parser to disable alphabetic and roman enumerated lists +- Sphinx extension with Python doc-specific markup. ++Sphinx extension with Python doc-specific markup. + +- :copyright: 2008-2014 by Georg Brandl. +- :license: Python license. ++:copyright: 2008-2014 by Georg Brandl. ++:license: Python license. + """ + + import re +@@ -15,6 +15,7 @@ + + from docutils import nodes + from docutils.parsers.rst import directives ++from docutils.parsers.rst.states import Body + from docutils.utils import unescape + from sphinx import addnodes + from sphinx.domains.python import PyFunction, PyMethod, PyModule +@@ -22,30 +23,48 @@ + from sphinx.util.docutils import SphinxDirective + + # Used in conf.py and updated here by python/release-tools/run_release.py +-SOURCE_URI = 'https://github.com/python/cpython/tree/3.14/%s' ++SOURCE_URI = "https://github.com/python/cpython/tree/3.14/%s" ++ ++ ++# monkey-patch reST parser to disable alphabetic and roman enumerated lists +def _disable_alphabetic_and_roman(text): + try: + # docutils >= 0.22 + from docutils.parsers.rst.states import InvalidRomanNumeralError ++ + raise InvalidRomanNumeralError(text) + except ImportError: + # docutils < 0.22 + return None + + - from docutils.parsers.rst.states import Body - Body.enum.converters['loweralpha'] = \ - Body.enum.converters['upperalpha'] = \ - Body.enum.converters['lowerroman'] = \ -- Body.enum.converters['upperroman'] = lambda x: None -+ Body.enum.converters['upperroman'] = _disable_alphabetic_and_roman - ++Body.enum.converters["loweralpha"] = Body.enum.converters["upperalpha"] = ( ++ Body.enum.converters["lowerroman"] ++) = Body.enum.converters["upperroman"] = _disable_alphabetic_and_roman ++ class PyAwaitableMixin(object): + def handle_signature(self, sig, signode): + ret = super(PyAwaitableMixin, self).handle_signature(sig, signode) +- signode.insert(0, addnodes.desc_annotation('awaitable ', 'awaitable ')) ++ signode.insert(0, addnodes.desc_annotation("awaitable ", "awaitable ")) + return ret + + + class PyAwaitableFunction(PyAwaitableMixin, PyFunction): + def run(self): +- self.name = 'py:function' ++ self.name = "py:function" + return PyFunction.run(self) + + + class PyAwaitableMethod(PyAwaitableMixin, PyMethod): + def run(self): +- self.name = 'py:method' ++ self.name = "py:method" + return PyMethod.run(self) + + + # Support for documenting Opcodes + +-opcode_sig_re = re.compile(r'(\w+(?:\+\d)?)(?:\s*\((.*)\))?') ++opcode_sig_re = re.compile(r"(\w+(?:\+\d)?)(?:\s*\((.*)\))?") + + + def parse_opcode_signature(env, sig, signode): +@@ -64,7 +83,7 @@ + + # Support for documenting pdb commands + +-pdbcmd_sig_re = re.compile(r'([a-z()!]+)\s*(.*)') ++pdbcmd_sig_re = re.compile(r"([a-z()!]+)\s*(.*)") + + # later... + # pdbargs_tokens_re = re.compile(r'''[a-zA-Z]+ | # identifiers +@@ -80,16 +99,16 @@ + if m is None: + raise ValueError + name, args = m.groups() +- fullname = name.replace('(', '').replace(')', '') ++ fullname = name.replace("(", "").replace(")", "") + signode += addnodes.desc_name(name, name) + if args: +- signode += addnodes.desc_addname(' '+args, ' '+args) ++ signode += addnodes.desc_addname(" " + args, " " + args) + return fullname + + + def parse_monitoring_event(env, sig, signode): + """Transform a monitoring event signature into RST nodes.""" +- signode += addnodes.desc_addname('sys.monitoring.events.', 'sys.monitoring.events.') ++ signode += addnodes.desc_addname("sys.monitoring.events.", "sys.monitoring.events.") + signode += addnodes.desc_name(sig, sig) + return sig + +@@ -102,7 +121,7 @@ + As such, we link this to ``env-check-consistency``, even though it has + nothing to do with the environment consistency check. + """ +- if app.builder.name != 'gettext': ++ if app.builder.name != "gettext": + return + + # allow translating deprecated index entries +@@ -119,10 +138,15 @@ + + + def setup(app): +- app.add_object_type('opcode', 'opcode', '%s (opcode)', parse_opcode_signature) +- app.add_object_type('pdbcommand', 'pdbcmd', '%s (pdb command)', parse_pdb_command) +- app.add_object_type('monitoring-event', 'monitoring-event', '%s (monitoring event)', parse_monitoring_event) +- app.add_directive_to_domain('py', 'awaitablefunction', PyAwaitableFunction) +- app.add_directive_to_domain('py', 'awaitablemethod', PyAwaitableMethod) +- app.connect('env-check-consistency', patch_pairindextypes) +- return {'version': '1.0', 'parallel_read_safe': True} ++ app.add_object_type("opcode", "opcode", "%s (opcode)", parse_opcode_signature) ++ app.add_object_type("pdbcommand", "pdbcmd", "%s (pdb command)", parse_pdb_command) ++ app.add_object_type( ++ "monitoring-event", ++ "monitoring-event", ++ "%s (monitoring event)", ++ parse_monitoring_event, ++ ) ++ app.add_directive_to_domain("py", "awaitablefunction", PyAwaitableFunction) ++ app.add_directive_to_domain("py", "awaitablemethod", PyAwaitableMethod) ++ app.connect("env-check-consistency", patch_pairindextypes) ++ return {"version": "1.0", "parallel_read_safe": True} diff --git a/python-3.3.0b1-fix_date_time_compiler.patch b/python-3.3.0b1-fix_date_time_compiler.patch index 820adca..57eece7 100644 --- a/python-3.3.0b1-fix_date_time_compiler.patch +++ b/python-3.3.0b1-fix_date_time_compiler.patch @@ -2,11 +2,11 @@ Makefile.pre.in | 5 +++++ 1 file changed, 5 insertions(+) -Index: Python-3.14.0/Makefile.pre.in +Index: Python-3.14.2/Makefile.pre.in =================================================================== ---- Python-3.14.0.orig/Makefile.pre.in 2025-10-07 11:34:52.000000000 +0200 -+++ Python-3.14.0/Makefile.pre.in 2025-11-06 23:19:25.434995608 +0100 -@@ -1910,6 +1910,11 @@ +--- Python-3.14.2.orig/Makefile.pre.in 2025-12-11 18:11:54.290805770 +0100 ++++ Python-3.14.2/Makefile.pre.in 2025-12-11 18:11:58.776792838 +0100 +@@ -1914,6 +1914,11 @@ -DGITBRANCH="\"`LC_ALL=C $(GITBRANCH)`\"" \ -o $@ $(srcdir)/Modules/getbuildinfo.c diff --git a/python314-base.rpmlintrc b/python314-base.rpmlintrc new file mode 100644 index 0000000..e28381c --- /dev/null +++ b/python314-base.rpmlintrc @@ -0,0 +1,4 @@ +addFilter("pem-certificate.*/usr/lib.*/python.*/test/*.pem") +addFilter("devel-file-in-non-devel-package.*/usr/lib.*/python.*/tests/*.c") +addFilter("devel-file-in-non-devel-package.*/usr/lib.*/python.*/test/*.cpp") +addFilter("python-bytecode-inconsistent-mtime.*/usr/lib.*/python.*/*.pyc") diff --git a/python314.changes b/python314.changes index e85b69d..aa623e4 100644 --- a/python314.changes +++ b/python314.changes @@ -1,3 +1,612 @@ +------------------------------------------------------------------- +Thu Dec 11 17:37:09 UTC 2025 - Matej Cepl + +* Update to 3.14.2: +- Security + - gh-142145: Remove quadratic behavior in xml.minidom node ID + cache clearing. + - gh-119452: Fix a potential memory denial of service in the + http.server module. When a malicious user is connected to the + CGI server on Windows, it could cause an arbitrary amount of + memory to be allocated. This could have led to symptoms + including a MemoryError, swapping, out of memory (OOM) killed + processes or containers, or even system crashes. +- Library + - gh-140797: Revert changes to the undocumented re.Scanner + class. Capturing groups are still allowed for backward + compatibility, although using them can lead to incorrect + result. They will be forbidden in future Python versions. + - gh-142206: The resource tracker in the multiprocessing module + now uses the original communication protocol, as in Python + 3.14.0 and below, by default. This avoids issues with + upgrading Python while it is running. (Note that such + ‘in-place’ upgrades are not tested.) The tracker remains + compatible with subprocesses that use new protocol (that is, + subprocesses using Python 3.13.10, 3.14.1 and 3.15). + - gh-142214: Fix two regressions in dataclasses in Python + 3.14.1 related to annotations. An exception is no longer + raised if slots=True is used and the __init__ method does not + have an __annotate__ attribute (likely because init=False was + used). An exception is no longer raised if annotations are + requested on the __init__ method and one of the fields is not + present in the class annotations. This can occur in certain + dynamic scenarios. Patch by Jelle Zijlstra. +- Core and Builtins + - gh-142218: Fix crash when inserting into a split table + dictionary with a non str key that matches an existing key. + - gh-116738: Fix cmath data race when initializing + trigonometric tables with subinterpreters. +* Update to 3.14.1: +- Tools/Demos + - gh-141692: Each slice of an iOS XCframework now contains + a lib folder that contains a symlink to the libpython dylib. + This allows binary modules to be compiled for iOS using + dynamic libreary linking, rather than Framework linking. + - gh-141442: The iOS testbed now correctly handles test + arguments that contain spaces. + - gh-140702: The iOS testbed app will now expose the + GITHUB_ACTIONS environment variable to iOS apps being tested. + - gh-137484: Have Tools/wasm/wasi put the build Python into + a directory named after the build triple instead of “build”. + - gh-137248: Add a --logdir option to Tools/wasm/wasi for + specifying where to write log files. + - gh-137243: Have Tools/wasm/wasi detect a WASI SDK install in + /opt when it was directly extracted from a release tarball. +- Tests + - gh-140482: Preserve and restore the state of stty echo as + part of the test environment. + - gh-140082: Update python -m test to set FORCE_COLOR=1 when + being run with color enabled so that unittest which is run by + it with redirected output will output in color. + - gh-139208: Fix regrtest --fast-ci --verbose: don’t ignore the + --verbose option anymore. Patch by Victor Stinner. + - gh-136442: Use exitcode 1 instead of 5 if + unittest.TestCase.setUpClass() raises an exception +- Security + - gh-139700: Check consistency of the zip64 end of central + directory record. Support records with “zip64 extensible + data” if there are no bytes prepended to the ZIP file. + - gh-139283: sqlite3: correctly handle maximum number of rows + to fetch in Cursor.fetchmany and reject negative values for + Cursor.arraysize. Patch by Bénédikt Tran. (CVE-2025-8291, + bsc#1251305) + - gh-137836: Add support of the “plaintext” element, RAWTEXT + elements “xmp”, “iframe”, “noembed” and “noframes”, and + optionally RAWTEXT element “noscript” in + html.parser.HTMLParser. + - gh-136063: email.message: ensure linear complexity for legacy + HTTP parameters parsing. Patch by Bénédikt Tran. + - gh-136065: Fix quadratic complexity in os.path.expandvars() + (CVE-2025-6075, bsc#1252974) + - gh-119451: Fix a potential memory denial of service in the + http.client module. When connecting to a malicious server, it + could cause an arbitrary amount of memory to be allocated. + This could have led to symptoms including a MemoryError, + swapping, out of memory (OOM) killed processes or containers, + or even system crashes (CVE-2025-13836, bsc#1254400) + - gh-119342: Fix a potential memory denial of service in the + plistlib module. When reading a Plist file received from + untrusted source, it could cause an arbitrary amount of + memory to be allocated. This could have led to symptoms + including a MemoryError, swapping, out of memory (OOM) killed + processes or containers, or even system crashes + (CVE-2025-13837, bsc#1254401). +- Library + - gh-74389: When the stdin being used by a subprocess.Popen + instance is closed, this is now ignored in + subprocess.Popen.communicate() instead of leaving the class + in an inconsistent state. + - gh-87512: Fix subprocess.Popen.communicate() timeout handling + on Windows when writing large input. Previously, the timeout + was ignored during stdin writing, causing the method to block + indefinitely if the child process did not consume input + quickly. The stdin write is now performed in a background + thread, allowing the timeout to be properly enforced. + - gh-141473: When subprocess.Popen.communicate() was called + with input and a timeout and is called for a second time + after a TimeoutExpired exception before the process has died, + it should no longer hang. + - gh-59000: Fix pdb breakpoint resolution for class methods + when the module defining the class is not imported. + - gh-141570: Support file-like object raising OSError from + fileno() in color detection (_colorize.can_colorize()). This + can occur when sys.stdout is redirected. + - gh-141659: Fix bad file descriptor errors from + _posixsubprocess on AIX. + - gh-141600: Fix musl version detection on Void Linux. + - gh-141497: ipaddress: ensure that the methods + IPv4Network.hosts() and IPv6Network.hosts() always return an + iterator. + - gh-140938: The statistics.stdev() and statistics.pstdev() + functions now raise a ValueError when the input contains an + infinity or a NaN. + - gh-124111: Updated Tcl threading configuration in _tkinter to + assume that threads are always available in Tcl 9 and later. + - gh-137109: The os.fork and related forking APIs will no + longer warn in the common case where Linux or macOS platform + APIs return the number of threads in a process and find the + answer to be 1 even when a os.register_at_fork() + after_in_parent= callback (re)starts a thread. + - gh-141314: Fix assertion failure in io.TextIOWrapper.tell() + when reading files with standalone carriage return (\r) line + endings. + - gh-141311: Fix assertion failure in io.BytesIO.readinto() and + undefined behavior arising when read position is above + capcity in io.BytesIO. + - gh-141141: Fix a thread safety issue with base64.b85decode(). + Contributed by Benel Tayar. + - gh-137969: Fix annotationlib.ForwardRef.evaluate() returning + ForwardRef objects which don’t update with new globals. + - gh-140911: collections: Ensure that the methods + UserString.rindex() and UserString.index() accept + collections.UserString instances as the sub argument. + - gh-140797: The undocumented re.Scanner class now forbids + regular expressions containing capturing groups in its + lexicon patterns. Patterns using capturing groups could + previously lead to crashes with segmentation fault. Use + non-capturing groups (?:…) instead. + - gh-125115: Refactor the pdb parsing issue so positional + arguments can pass through intuitively. + - gh-140815: faulthandler now detects if a frame or a code + object is invalid or freed. Patch by Victor Stinner. + - gh-100218: Correctly set errno when socket.if_nametoindex() + or socket.if_indextoname() raise an OSError. Patch by + Bénédikt Tran. + - gh-140875: Fix handling of unclosed character references + (named and numerical) followed by the end of file in + html.parser.HTMLParser with convert_charrefs=False. + - gh-140734: multiprocessing: fix off-by-one error when + checking the length of a temporary socket file path. Patch by + Bénédikt Tran. + - gh-140874: Bump the version of pip bundled in ensurepip to + version 25.3 + - gh-140691: In urllib.request, when opening a FTP URL fails + because a data connection cannot be made, the control + connection’s socket is now closed to avoid a ResourceWarning. + - gh-103847: Fix hang when cancelling process created by + asyncio.create_subprocess_exec() or + asyncio.create_subprocess_shell(). Patch by Kumar Aditya. + - gh-120057: Add os.reload_environ() to os.__all__. + - gh-140228: Avoid making unnecessary filesystem calls for + frozen modules in linecache when the global module cache is + not present. + - gh-140590: Fix arguments checking for the + functools.partial.__setstate__() that may lead to internal + state corruption and crash. Patch by Sergey Miryanov. + - gh-125434: Display thread name in faulthandler on Windows. + Patch by Victor Stinner. + - gh-140634: Fix a reference counting bug in + os.sched_param.__reduce__(). + - gh-140633: Ignore AttributeError when setting a module’s + __file__ attribute when loading an extension module packaged + as Apple Framework. + - gh-140593: xml.parsers.expat: Fix a memory leak that could + affect users with ElementDeclHandler() set to a custom + element declaration handler. Patch by Sebastian Pipping. + - gh-140607: Inside io.RawIOBase.read(), validate that the + count of bytes returned by io.RawIOBase.readinto() is valid + (inside the provided buffer). + - gh-138162: Fix logging.LoggerAdapter with merge_extra=True + and without the extra argument. + - gh-138774: ast.unparse() now generates full source code when + handling ast.Interpolation nodes that do not have a specified + source. + - gh-140474: Fix memory leak in array.array when creating + arrays from an empty str and the u type code. + - gh-137530: dataclasses Fix annotations for generated __init__ + methods by replacing the annotations that were in-line in the + generated source code with __annotate__ functions attached to + the methods. + - gh-140348: Fix regression in Python 3.14.0 where using the + | operator on a typing.Union object combined with an object + that is not a type would raise an error. + - gh-140272: Fix memory leak in the clear() method of the + dbm.gnu database. + - gh-140041: Fix import of ctypes on Android and Cygwin when + ABI flags are present. + - gh-140120: Fixed a memory leak in hmac when it was using the + hacl-star backend. Discovered by @ashm-dev using + AddressSanitizer. + - gh-139905: Add suggestion to error message for typing.Generic + subclasses when cls.__parameters__ is missing due to a parent + class failing to call super().__init_subclass__() in its + __init_subclass__. + - gh-139894: Fix incorrect sharing of current task with the + child process while forking in asyncio. Patch by Kumar + Aditya. + - gh-139845: Fix to not print KeyboardInterrupt twice in + default asyncio REPL. + - gh-139783: Fix inspect.getsourcelines() for the case when + a decorator is followed by a comment or an empty line. + - gh-139809: Prevent premature colorization of subparser prog + in argparse.ArgumentParser.add_subparsers() to respect color + environment variable changes after parser creation. + - gh-139736: Fix excessive indentation in the default argparse + HelpFormatter. Patch by Alexander Edland. + - gh-70765: http.server: fix default handling of HTTP/0.9 + requests in BaseHTTPRequestHandler. Previously, + BaseHTTPRequestHandler.parse_request() incorrectly waited for + headers in the request although those are not supported in + HTTP/0.9. Patch by Bénédikt Tran. + - gh-63161: Fix tokenize.detect_encoding(). Support non-UTF-8 + shebang and comments if non-UTF-8 encoding is specified. + Detect decoding error for non-UTF-8 encoding. Detect null + bytes in source code. + - gh-139391: Fix an issue when, on non-Windows platforms, it + was not possible to gracefully exit a python -m asyncio + process suspended by Ctrl+Z and later resumed by fg other + than with kill. + - gh-101828: Fix 'shift_jisx0213', 'shift_jis_2004', + 'euc_jisx0213' and 'euc_jis_2004' codecs truncating null + chars as they were treated as part of multi-character + sequences. + - gh-139289: Do a real lazy-import on rlcompleter in pdb and + restore the existing completer after importing rlcompleter. + - gh-139246: fix: paste zero-width in default repl width is + wrong. + - gh-90949: Add SetAllocTrackerActivationThreshold() and + SetAllocTrackerMaximumAmplification() to xmlparser objects to + prevent use of disproportional amounts of dynamic memory from + within an Expat parser. Patch by Bénédikt Tran. + - gh-139210: Fix use-after-free when reporting unknown event in + xml.etree.ElementTree.iterparse(). Patch by Ken Jin. + - gh-138860: Lazy import rlcompleter in pdb to avoid deadlock + in subprocess. + - gh-112729: Fix crash when calling + concurrent.interpreters.create() when the process is out of + memory. + - gh-135729: Fix unraisable exception during finalization when + using concurrent.interpreters in the REPL. + - gh-139076: Fix a bug in the pydoc module that was hiding + functions in a Python module if they were implemented in an + extension module and the module did not have __all__. + - gh-139065: Fix trailing space before a wrapped long word if + the line length is exactly width in textwrap. + - gh-139001: Fix race condition in pathlib.Path on the internal + _raw_paths field. + - gh-138813: multiprocessing.BaseProcess defaults kwargs to + None instead of a shared dictionary. + - gh-138993: Dedent credits text. + - gh-138891: Fix SyntaxError when inspect.get_annotations(f, + eval_str=True) is called on a function annotated with a PEP + 646 star_expression + - gh-130567: Fix possible crash in locale.strxfrm() due to + a platform bug on macOS. + - gh-138859: Fix generic type parameterization raising + a TypeError when omitting a ParamSpec that has a default + which is not a list of types. + - gh-138764: Prevent annotationlib.call_annotate_function() + from calling __annotate__ functions that don’t support + VALUE_WITH_FAKE_GLOBALS in a fake globals namespace with + empty globals. Make FORWARDREF and STRING annotations fall + back to using VALUE annotations in the case that neither + their own format, nor VALUE_WITH_FAKE_GLOBALS are supported. + - gh-138775: Use of python -m with base64 has been fixed to + detect input from a terminal so that it properly notices EOF. + - gh-138779: Support device numbers larger than 2**63-1 for the + st_rdev field of the os.stat_result structure. + - gh-137706: Fix the partial evaluation of annotations that use + typing.Annotated[T, x] where T is a forward reference. + - gh-88375: Fix normalization of the robots.txt rules and URLs + in the urllib.robotparser module. No longer ignore trailing + ?. Distinguish raw special characters ?, = and & from the + percent-encoded ones. + - gh-111788: Fix parsing errors in the urllib.robotparser + module. Don’t fail trying to parse weird paths. Don’t fail + trying to decode non-UTF-8 robots.txt files. + - gh-98896: Fix a failure in multiprocessing resource_tracker + when SharedMemory names contain colons. Patch by Rani + Pinchuk. + - gh-138425: Fix partial evaluation of annotationlib.ForwardRef + objects which rely on names defined as globals. + - gh-138432: zoneinfo.reset_tzpath() will now convert any + os.PathLike objects it receives into strings before adding + them to TZPATH. It will raise TypeError if anything other + than a string is found after this conversion. If given an + os.PathLike object that represents a relative path, it will + now raise ValueError instead of TypeError, and present a more + informative error message. + - gh-138008: Fix segmentation faults in the ctypes module due + to invalid argtypes. Patch by Dung Nguyen. + - gh-60462: Fix locale.strxfrm() on Solaris (and possibly other + platforms). + - gh-138239: The REPL now highlights type as a soft keyword in + type statements. + - gh-138204: Forbid expansion of shared anonymous memory maps + on Linux, which caused a bus error. + - gh-138010: Fix an issue where defining a class with an + @warnings.deprecated-decorated base class may not invoke the + correct __init_subclass__() method in cases involving + multiple inheritance. Patch by Brian Schubert. + - gh-138151: In annotationlib, improve evaluation of forward + references to nonlocal variables that are not yet defined + when the annotations are initially evaluated. + - gh-137317: inspect.signature() now correctly handles classes + that use a descriptor on a wrapped __init__() or __new__() + method. Contributed by Yongyu Yan. + - gh-137754: Fix import of the zoneinfo module if the + C implementation of the datetime module is not available. + - gh-137490: Handle ECANCELED in the same way as EINTR in + signal.sigwaitinfo() on NetBSD. + - gh-137477: Fix inspect.getblock(), inspect.getsourcelines() + and inspect.getsource() for generator expressions. + - gh-137044: Return large limit values as positive integers + instead of negative integers in resource.getrlimit(). Accept + large values and reject negative values (except + RLIM_INFINITY) for limits in resource.setrlimit(). + - gh-75989: tarfile.TarFile.extractall() and + tarfile.TarFile.extract() now overwrite symlinks when + extracting hardlinks. (Contributed by Alexander Enrique + Urieles Nieto in gh-75989.) + - gh-137017: Fix threading.Thread.is_alive to remain True until + the underlying OS thread is fully cleaned up. This avoids + false negatives in edge cases involving thread monitoring or + premature threading.Thread.is_alive calls. + - gh-137273: Fix debug assertion failure in locale.setlocale() + on Windows. + - gh-137239: heapq: Update heapq.__all__ with *_max functions. + - gh-81325: tarfile.TarFile now accepts a path-like when + working on a tar archive. (Contributed by Alexander Enrique + Urieles Nieto in gh-81325.) + - gh-137185: Fix a potential async-signal-safety issue in + faulthandler when printing C stack traces. + - gh-136914: Fix retrieval of doctest.DocTest.lineno for + objects decorated with functools.cache() or + functools.cached_property. + - gh-136912: hmac.digest() now properly handles large keys and + messages by falling back to the pure Python implementation + when necessary. Patch by Bénédikt Tran. + - gh-83424: Allows creating a ctypes.CDLL without name when + passing a handle as an argument. + - gh-136234: Fix asyncio.WriteTransport.writelines() to be + robust to connection failure, by using the same behavior as + write(). + - gh-136507: Fix mimetypes CLI to handle multiple file + parameters. + - gh-136057: Fixed the bug in pdb and bdb where next and step + can’t go over the line if a loop exists in the line. + - gh-135386: Fix opening a dbm.sqlite3 database for reading + from read-only file or directory. + - gh-135444: Fix asyncio.DatagramTransport.sendto() to account + for datagram header size when data cannot be sent. + - gh-126631: Fix multiprocessing forkserver bug which prevented + __main__ from being preloaded. + - gh-135307: email: Fix exception in set_content() when + encoding text and max_line_length is set to 0 or None + (unlimited). + - gh-134453: Fixed subprocess.Popen.communicate() input= + handling of memoryview instances that were non-byte shaped on + POSIX platforms. Those are now properly cast to a byte shaped + view instead of truncating the input. Windows platforms did + not have this bug. + - gh-134698: Fix a crash when calling methods of ssl.SSLContext + or ssl.SSLSocket across multiple threads. + - gh-125996: Fix thread safety of collections.OrderedDict. + Patch by Kumar Aditya. + - gh-133789: Fix unpickling of pathlib objects that were + pickled in Python 3.13. + - gh-127081: Fix libc thread safety issues with dbm by + performing stateful operations in critical sections. + - gh-132551: Make io.BytesIO safe in free-threaded build. + - gh-131788: Make ResourceTracker.send from multiprocessing + re-entrant safe + - gh-118981: Fix potential hang in + multiprocessing.popen_spawn_posix that can happen when the + child proc dies early by closing the child fds right away. + - gh-102431: Clarify constraints for “logical” arguments in + methods of decimal.Context. + - gh-78319: UTF8 support for the IMAP APPEND command has been + made RFC compliant. bpo-38735: Fix failure when importing + a module from the root directory on unix-like platforms with + sys.pycache_prefix set. bpo-41839: Allow negative priority + values from os.sched_get_priority_min() and + os.sched_get_priority_max() functions. +- IDLE + - gh-96491: Deduplicate version number in IDLE shell title bar + after saving to a file. + - gh-139742: Colorize t-string prefixes for template strings in + IDLE, as done for f-string prefixes. +- Documentation + - gh-141994: xml.sax.handler: Make Documentation of + xml.sax.handler.feature_external_ges warn of opening up to + external entity attacks. Patch by Sebastian Pipping. + - gh-140578: Remove outdated sencence in the documentation for + multiprocessing, that implied that + concurrent.futures.ThreadPoolExecutor did not exist. +- Core and Builtins + - gh-142048: Fix quadratically increasing garbage collection + delays in free-threaded build. + - gh-116738: Fix thread safety issue with re scanner objects in + free-threaded builds. + - gh-141930: When importing a module, use Python’s regular file + object to ensure that writes to .pyc files are complete or an + appropriate error is raised. + - gh-120158: Fix inconsistent state when enabling or disabling + monitoring events too many times. + - gh-139653: Only raise a RecursionError or trigger a fatal + error if the stack pointer is both below the limit pointer + and above the stack base. If outside of these bounds assume + that it is OK. This prevents false positives when user-space + threads swap stacks. + - gh-139103: Improve multithreaded scaling of dataclasses on + the free-threaded build. + - gh-141579: Fix sys.activate_stack_trampoline() to properly + support the perf_jit backend. Patch by Pablo Galindo. + - gh-114203: Skip locking if object is already locked by + two-mutex critical section. + - gh-141528: Suggest using + concurrent.interpreters.Interpreter.close() instead of the + private _interpreters.destroy function when warning about + remaining subinterpreters. Patch by Sergey Miryanov. + - gh-141312: Fix the assertion failure in the __setstate__ + method of the range iterator when a non-integer argument is + passed. Patch by Sergey Miryanov. + - gh-116738: Make csv module thread-safe on the free threaded + build. + - gh-140939: Fix memory leak when bytearray or bytes is + formated with the %*b format with a large width that results + in a MemoryError. + - gh-140260: Fix struct data race in endian table + initialization with subinterpreters. Patch by Shamil + Abdulaev. + - gh-140530: Fix a reference leak when raise exc from cause + fails. Patch by Bénédikt Tran. + - gh-140373: Correctly emit PY_UNWIND event when generator + object is closed. Patch by Mikhail Efimov. + - gh-140576: Fixed crash in tokenize.generate_tokens() in case + of specific incorrect input. Patch by Mikhail Efimov. + - gh-140551: Fixed crash in dict if dict.clear() is called at + the lookup stage. Patch by Mikhail Efimov and Inada Naoki. + - gh-140517: Fixed a reference leak when iterating over the + result of map() with strict=True when the input iterables + have different lengths. Patch by Mikhail Efimov. + - gh-140471: Fix potential buffer overflow in ast.AST node + initialization when encountering malformed _fields containing + non-str. + - gh-140431: Fix a crash in Python’s garbage collector due to + partially initialized coroutine objects when coroutine origin + tracking depth is enabled + (sys.set_coroutine_origin_tracking_depth()). + - gh-140398: Fix memory leaks in readline functions + read_init_file(), read_history_file(), write_history_file(), + and append_history_file() when PySys_Audit() fails. + - gh-140406: Fix memory leak when an object’s __hash__() method + returns an object that isn’t an int. + - gh-140358: Restore elapsed time and unreachable object count + in GC debug output. These were inadvertently removed during + a refactor of gc.c. The debug log now again reports elapsed + collection time and the number of unreachable objects. + Contributed by Pål Grønås Drange. + - gh-140306: Fix memory leaks in cross-interpreter channel + operations and shared namespace handling. + - gh-140301: Fix memory leak of PyConfig in subinterpreters. + - gh-140257: Fix data race between interpreter_clear() and + take_gil() on eval_breaker during finalization with daemon + threads. + - gh-139951: Fixes a regression in GC performance for a growing + heap composed mostly of small tuples. Counts number of + actually tracked objects, instead of trackable objects. This + ensures that untracking tuples has the desired effect of + reducing GC overhead. Does not track most untrackable tuples + during creation. This prevents large numbers of small tuples + causing excessive GCs. + - gh-140104: Fix a bug with exception handling in the JIT. + Patch by Ken Jin. Bug reported by Daniel Diniz. + - gh-140061: Fixing the checking of whether an object is + uniquely referenced to ensure free-threaded compatibility. + Patch by Sergey Miryanov. + - gh-140067: Fix memory leak in sub-interpreter creation. + - gh-140000: Fix potential memory leak when a reference cycle + exists between an instance of typing.TypeAliasType, + typing.TypeVar, typing.ParamSpec, or typing.TypeVarTuple and + its __name__ attribute. Patch by Mikhail Efimov. + - gh-139914: Restore support for HP PA-RISC, which has an + upwards-growing stack. + - gh-139988: Fix a memory leak when failing to create a Union + type. Patch by Bénédikt Tran. + - gh-139748: Fix reference leaks in error branches of functions + accepting path strings or bytes such as compile() and + os.system(). Patch by Bénédikt Tran. + - gh-139516: Fix lambda colon erroneously start format spec in + f-string in tokenizer. + - gh-139640: ast.parse() no longer emits syntax warnings for + return/break/continue in finally (see PEP 765) – they are + only emitted during compilation. + - gh-139640: Fix swallowing some syntax warnings in different + modules if they accidentally have the same message and are + emitted from the same line. Fix duplicated warnings in the + finally block. + - gh-63161: Support non-UTF-8 shebang and comments in Python + source files if non-UTF-8 encoding is specified. Detect + decoding error in comments for default (UTF-8) encoding. Show + the line and position of decoding error for default encoding + in a traceback. Show the line containing the coding cookie + when it conflicts with the BOM in a traceback. + - gh-116738: Make mmap thread-safe on the free threaded build. + - gh-138558: Fix handling of unusual t-string annotations in + annotationlib. Patch by Dave Peck. + - gh-134466: Don’t run PyREPL in a degraded environment where + setting termios attributes is not allowed. + - gh-138944: Fix SyntaxError message when invalid syntax + appears on the same line as a valid import ... as ... or from + ... import ... as ... statement. Patch by Brian Schubert. + - gh-105487: Remove non-existent __copy__(), __deepcopy__(), + and __bases__ from the __dir__() entries of + types.GenericAlias. + - gh-69605: Fix some standard library submodules missing from + the REPL auto-completion of imports. + - gh-116738: Make cProfile thread-safe on the free threaded + build. + - gh-138004: On Solaris/Illumos platforms, thread names are now + encoded as ASCII to avoid errors on systems (e.g. + OpenIndiana) that don’t support non-ASCII names. + - gh-137433: Fix a potential deadlock in the free threading + build when daemon threads enable or disable profiling or + tracing while the main thread is shutting down the + interpreter. + - gh-137400: Fix a crash in the free threading build when + disabling profiling or tracing across all threads with + PyEval_SetProfileAllThreads() or PyEval_SetTraceAllThreads() + or their Python equivalents threading.settrace_all_threads() + and threading.setprofile_all_threads(). + - gh-58124: Fix name of the Python encoding in Unicode errors + of the code page codec: use “cp65000” and “cp65001” instead + of “CP_UTF7” and “CP_UTF8” which are not valid Python code + names. Patch by Victor Stinner. + - gh-132657: Improve performance of frozenset by removing locks + in the free-threading build. + - gh-133400: Fixed Ctrl+D (^D) behavior in _pyrepl module to + match old pre-3.13 REPL behavior. + - gh-128640: Fix a crash when using threads inside of + a subinterpreter. +- C API + - gh-137422: Fix free threading race condition in + PyImport_AddModuleRef(). It was previously possible for two + calls to the function return two different objects, only one + of which was stored in sys.modules. + - gh-140042: Removed the sqlite3_shutdown call that could cause + closing connections for sqlite when used with multiple sub + interpreters. + - gh-141042: Make qNaN in PyFloat_Pack2() and PyFloat_Pack4(), + if while conversion to a narrower precision floating-point + format — the remaining after truncation payload will be zero. + Patch by Sergey B Kirpichev. + - gh-140487: Fix Py_RETURN_NOTIMPLEMENTED in limited C API 3.11 + and older: don’t treat Py_NotImplemented as immortal. Patch + by Victor Stinner. + - gh-140153: Fix Py_REFCNT() definition on limited C API + 3.11-3.13. Patch by Victor Stinner. + - gh-139653: Add PyUnstable_ThreadState_SetStackProtection() + and PyUnstable_ThreadState_ResetStackProtection() functions + to set the stack protection base address and stack protection + size of a Python thread state. Patch by Victor Stinner. +- Build + - gh-141808: Do not generate the jit stencils twice in case of + PGO builds on Windows. + - gh-141784: Fix _remote_debugging_module.c compilation on + 32-bit Linux. Include Python.h before system headers to make + sure that _remote_debugging_module.c uses the same types + (ABI) than Python. Patch by Victor Stinner. + - gh-140768: Warn when the WASI SDK version doesn’t match + what’s supported. + - gh-140513: Generate a clear compilation error when + _Py_TAIL_CALL_INTERP is enabled but either preserve_none or + musttail is not supported. + - gh-140189: iOS builds were added to CI. + - gh-138489: When cross-compiling for WASI by build_wasm or + build_emscripten, the build-details.json step is now included + in the build process, just like with native builds. This + fixes the libinstall task which requires the + build-details.json file during the process. + - gh-137618: PYTHON_FOR_REGEN now requires Python 3.10 to + Python 3.15. Patch by Adam Turner. + - gh-123681: Check the strftime() behavior at runtime instead + of at the compile time to support cross-compiling. Remove the + internal macro _Py_NORMALIZE_CENTURY. +- Remove upstreamed patches: + - CVE-2025-6075-expandvars-perf-degrad.patch + - CVE-2025-8291-consistency-zip64.patch + ------------------------------------------------------------------- Thu Nov 13 17:13:03 UTC 2025 - Matej Cepl diff --git a/python314.rpmlintrc b/python314.rpmlintrc new file mode 100644 index 0000000..e28381c --- /dev/null +++ b/python314.rpmlintrc @@ -0,0 +1,4 @@ +addFilter("pem-certificate.*/usr/lib.*/python.*/test/*.pem") +addFilter("devel-file-in-non-devel-package.*/usr/lib.*/python.*/tests/*.c") +addFilter("devel-file-in-non-devel-package.*/usr/lib.*/python.*/test/*.cpp") +addFilter("python-bytecode-inconsistent-mtime.*/usr/lib.*/python.*/*.pyc") diff --git a/python314.spec b/python314.spec index 791eede..59f8074 100644 --- a/python314.spec +++ b/python314.spec @@ -124,7 +124,7 @@ # %%define tarversion %%{version} # %%endif # We don't process beta signs well -%define folderversion 3.14.0 +%define folderversion 3.14.2 %define sitedir %{_libdir}/python%{python_version} # three possible ABI kinds: m - pymalloc, d - debug build; see PEP 3149 %define abi_kind %{nil} @@ -162,7 +162,7 @@ # _md5.cpython-38m-x86_64-linux-gnu.so %define dynlib() %{sitedir}/lib-dynload/%{1}.cpython-%{abi_tag}-%{archname}-%{_os}%{?_gnu}%{?armsuffix}.so Name: %{python_pkg_name}%{psuffix} -Version: 3.14.0 +Version: 3.14.2 %define tarversion %{version} %define tarname Python-%{tarversion} Release: 0 @@ -224,12 +224,6 @@ Patch41: bsc1243155-sphinx-non-determinism.patch Patch44: gh138131-exclude-pycache-from-digest.patch # PATCH-FIX-OPENSUSE gh139257-Support-docutils-0.22.patch gh#python/cpython#139257 daniel.garcia@suse.com Patch45: gh139257-Support-docutils-0.22.patch -# PATCH-FIX-UPSTREAM CVE-2025-8291-consistency-zip64.patch bsc#1251305 mcepl@suse.com -# Check consistency of the zip64 end of central directory record -Patch46: CVE-2025-8291-consistency-zip64.patch -# PATCH-FIX-UPSTREAM CVE-2025-6075-expandvars-perf-degrad.patch bsc#1252974 mcepl@suse.com -# Avoid potential quadratic complexity vulnerabilities in path modules -Patch47: CVE-2025-6075-expandvars-perf-degrad.patch #### Python 3.14 DEVELOPMENT PATCHES BuildRequires: autoconf-archive BuildRequires: automake